On Tue, Jan 22, 2013 at 10:25:21AM -0500, Simo Sorce wrote:
> On Tue, 2013-01-22 at 16:18 +0100, Adam Tkac wrote:
> > Before we start talking about using DNS for this purpose, have you
> > considered
> > to use IP anycast for this? You can simply create multiple servers
> > with same IP
> > address on different places over the world. After that you announce
> > this IP
> > address from multiple places simultaneounsly via BGP and BGP
> > automatically
> > routes all clients to the closest node. Advantage is that this is
> > already
> > implemented, used and nothing have to be modified.
> > Regards, Adam
> We cannot assume our customers can influence or have access to change
> BGP routing, so I excluded multicast solutions from the get go.
> Also it requires more changes on the clients which is another heavy
If I understand correctly, target customers of IPA are companies and they use
IPA to maintain resources in their internal networks, aren't they?
In this case I see two basic solutions how to solve the "location" issue.
1. BGP routing between multiple internal networks
If customer wants to interconnect multiple networks (for example networks in
different offices) so resources in network 1 will be accessible from network 2,
he must use some kind of routing. All traffic from network 1 must go through
border router and is accepted by border router in network 2:
network1 <-> router1 <-> router2 <-> network2
This can be extended to multiple offices and all border routers will talk to
In this scenario customer can specify set of rules on each router and route
traffic to services to specific locations. Please note that there is no need to
announce anything to the Internet via BGP.
2. No routing between internal networks
In this case networks aren't interconnected so no routing is involved. In this
case "location" discovery doesn't make sense because machine in network 1
cannot access resources in network 2. So it will also use the closest service.
To summarize my idea, as long as services have _same_ IP addresses in all
cooperating IPA installations, which definitely make sense, you don't need to
use DNS for location because routing protocol will automatically pick the
I don't see any reason for modifications on clients. Everything what will be
modified is routing rules on border routers. Please note that anycast !=
Adam Tkac, Red Hat, Inc.
Freeipa-devel mailing list