[97075] in North American Network Operators' Group
Re: IPv6 Advertisements
daemon@ATHENA.MIT.EDU (Jeroen Massar)
Thu May 31 15:33:04 2007
Date: Thu, 31 May 2007 20:32:11 +0100
From: Jeroen Massar <jeroen@unfix.org>
To: Valdis.Kletnieks@vt.edu
Cc: North American Noise and Off-topic Gripes <nanog@merit.edu>
In-Reply-To: <8666.1180639256@turing-police.cc.vt.edu>
Errors-To: owner-nanog@merit.edu
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigF5433965A6C824792C2961DA
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Valdis.Kletnieks@vt.edu wrote:
> On Thu, 31 May 2007 18:40:42 BST, Jeroen Massar said:
>=20
>> When you have a large company, the company is also split over several
>> administrative sites, in some cases you might have a single
>> administrative group covering several sites though, this allows you to=
>> provide them with a single /48 as they are one group they will know
>> how to properly divide that address space up.
>=20
> Works great, until you realize that for traffic engineering purposes, y=
ou
> really want to announce your Los Angeles site at an exchange near there=
,
> and your London site to be announced near there, and you end up wonderi=
ng
> whether deaggregating the /48, or getting a second/third /48 would be w=
iser.. ;)
Yes, that is indeed one of the many problems that come associated with
getting a huge /32. You are supposed to announce that at in one
aggregated chunk...
At the moment you end up announcing chunks of the /48 to the local
area and backhauling traffic from one site to another. The option for
getting a separate /48 per site is then very tempting I guess. Unless
you have a 10k or so of those sites...
Firewall-wise having one big chunk is of course very interesting as
you only need 1 ACL. Then again, do you trust everybody in your
company? :) I guess that a different way of authentication, eg using
authenticated packets (IPSEC AH) will become more and more common.
One part missing there is a "Token" which can be added though, eg you
have a local Authority which says "I allow X to send packet from Y to
Z", take that token and attach it to packets. Firewalls trust the
Authority and thus allow those packets through. Accidentally this is
similar to something that came up in the DTN meeting last week.
This is something that needs to be solved with a magic new routing
mechanism though, like a lot of other things.
Greets,
Jeroen
--------------enigF5433965A6C824792C2961DA
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Jeroen Massar / http://unfix.org/~jeroen/
iHUEARECADUFAkZfIrwuFIAAAAAAFQAQcGthLWFkZHJlc3NAZ251cGcub3JnamVy
b2VuQHVuZml4Lm9yZwAKCRApqihSMz58Iy6aAKCtAfv2qGoApJBWHrt8Pbl6bJEq
GgCeLEqP8sEcXOxN/p5TygEmL8eUuM0=
=GFiD
-----END PGP SIGNATURE-----
--------------enigF5433965A6C824792C2961DA--
