On Apr 8, 2005, at 4:58 PM, Erik Nordmark wrote:
Applying IPsec doesn't help solve the authorization issue of who should be allowed to receive packets sent to a particular anycast address.
Can you tell me any address or type of address for which that is an objective either of internet routing or addressing?
I guess I don't understand the question.
The way I use "authorize" in this context is best shown in this example:
For regular unicast, the fact the my ISP has assigned a /29 to me, and inserted that in their routing tables manually, means that the DSL line to my house is authorized to receive packets addressed to that address prefix.
This coupled with trust in the ISPs that run BGP (but not necessarily much security) we are pretty confident that packets sent to one of google's IP address in fact get routed to one of google's machines (or dropped under overload).
Enter anycast. If we try to design a protocol mechanism by which any host can say "send me packets for this anycast address" and with anycast addresses being syntactically indistinguishable from unicast, what would prevent my laptop from saying it wants to receive packets addressed to one of google's unicast address?
Thus my point is that any grand unified approach to anycast needs to think about the authorization issues.
Of course, this isn't a problem in the way IPv4 anycast is used for DNS, because there is manual configuration hence implicit authorization of which DNS servers are part of the anycast sets.
Erik
-------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
