David,
> ::/0 from 2001:db8:1::/48 via PA-provider-1
> ::/0 from 2001:db8:2::/48 via PA-provider-2
> ::/0 from 2001:db8:cccc::/48 unreachable
> 2001:db8:cccc::/48 from 2001:db8:cccc::/48 via IPsec-gateway
> 2001:db8:cccc::/48 from ::/0 unreachable
>
> Where the last route would prevent accidental leaking of packets onto
> the internet in case the IPsec gateway malfunctions. (The 3rd route is
> redundant if there's no "::/0 from ::/0")
>
> But - apart from ease of use for multiple prefixes, this can be done
> without SADR just fine, the only advantage is that there's full
> information regarding which source addresses work with which
> destinations. If we get that to hosts, and into their source address
> selection, then we won something.
in a simple triangle topology:
| |
CE1 CE2
\ /
\ /
IR1
|
-----------------
|
Host
with PA1 and PA2 doing BCP38 filtering and a non SADR capable network, I would
assert that you cannot do this without SADR.
IR1 load balances, and you could end up in a situation where IR1 load balancing
would pick CE1 exit for PA2 source address, and CE2 exit for PA1 source
address. with the result that whatever the host tried to do, all traffic would
be black-holed by the ISP ingress filters.
with regards to getting SAS policies into hosts, that isn't necessary for the
multi-homed to congruent networks case. it is needed in the walled garden cases
(but there are some many other issues with walled gardens that I'm not sure the
IETF should try to fix a broken business model). we do have a DHCP option
already to configure a host's SAS table for this purpose. RFC7078.
cheers,
Ole
_______________________________________________
rtgwg mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/rtgwg
