Pekka Nikander wrote: > As I have been touting my opinion that tunnelling is an indication of > deficiencies in the architecture, I want to express the reasons why I > believe so. Note that I am _not_ saying that tunnelling is _evil_. > Tunnelling is often fine as a short term solution, and sometimes also > as a longer term solution. However, independent of that, tunnelling > (almost) always indicates that the architecture does not provide > functionality that it should provide.
That is like saying that VM is an indication that memory is deficient, or that an OS is an indication of a deficiency of running on a bare system. Tunneling is just the networking equivalent of VM or an OS - a way to abstract architecture, to allow flexibility, concurrent use for different purposes, etc. ... > Case 1: Tunnelling a protocol over itself > ========================================== > > Examples of this include IPsec in tunnel mode, GTP, and other forms of > IP-over-IP tunnelling. My basic concern with this kind of tunnelling > is that it enforces two different _semantics_ to a single identifier > space, and therefore makes the system more brittle. Conversely, the > architecture should provide functionality so that such overloaded > semantics and brittleness is not needed. The address spaces are different, so different semantics are OK. The address inside the tunnel is (or should be) interpreted in the context of the tunnel, just as an applications memory address is interpreted in the context of the page table. ... > So, my claim is that tunnelling is (almost) always an indication that > the architecture has one or more of the following deficiencies: > > 1. A layer (of indirection) is missing > > 2. Some security functionality is missing > > 3. The architecture has failed to provide sufficient resources > > 4. Some functionality is provided at or on-the-top-of a wrong layer > > All of the discussion above is really architectural in nature. The > starting point is the layering model, and the discussion is mostly > about how the layering fails and what are the reasons, in each case, > for the failure. Sure - and the way we deploy new services and architectures is to deploy them on tunnels on top of the existing architectures. That's a feature, not a bug. Tunnels are tools that can be misused or not, but their use is not in of itself an indication of anything other than growth. Joe
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Int-area mailing list [email protected] https://www1.ietf.org/mailman/listinfo/int-area
