jeroen at unfix.org
Thu May 31 19:32:11 UTC 2007
Valdis.Kletnieks at vt.edu wrote:
> On Thu, 31 May 2007 18:40:42 BST, Jeroen Massar said:
>> When you have a large company, the company is also split over several
>> administrative sites, in some cases you might have a single
>> administrative group covering several sites though, this allows you to
>> provide them with a single /48 as they are one group they will know
>> how to properly divide that address space up.
> Works great, until you realize that for traffic engineering purposes, you
> really want to announce your Los Angeles site at an exchange near there,
> and your London site to be announced near there, and you end up wondering
> whether deaggregating the /48, or getting a second/third /48 would be wiser.. ;)
Yes, that is indeed one of the many problems that come associated with
getting a huge /32. You are supposed to announce that at in one
At the moment you end up announcing chunks of the /48 to the local
area and backhauling traffic from one site to another. The option for
getting a separate /48 per site is then very tempting I guess. Unless
you have a 10k or so of those sites...
Firewall-wise having one big chunk is of course very interesting as
you only need 1 ACL. Then again, do you trust everybody in your
company? :) I guess that a different way of authentication, eg using
authenticated packets (IPSEC AH) will become more and more common.
One part missing there is a "Token" which can be added though, eg you
have a local Authority which says "I allow X to send packet from Y to
Z", take that token and attach it to packets. Firewalls trust the
Authority and thus allow those packets through. Accidentally this is
similar to something that came up in the DTN meeting last week.
This is something that needs to be solved with a magic new routing
mechanism though, like a lot of other things.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 311 bytes
Desc: OpenPGP digital signature
More information about the NANOG