IXP

• Previous message (by thread): IXP
• Next message (by thread): IXP
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Paul Vixie wrote:
> in terms of solid and predictable i would take per-peering VLANs with IP
> addresses assigned by the peers themselves, over switches that do unicast
> flood control or which are configured to ignore bpdu's in imaginative ways.
> 

Simplicity only applies when it doesn't hinder security (the baseline 
complexity). PE/BRAS systems suffer from a subset of IXP issues with a 
few of their own. It amazes me how much "security" has been pushed from 
the PE out into switches and dslams. Enough so, that I've found many 
vendors that break IPv6 because of their "security" features. 1Q tagging 
is about the simplest model I have seen for providing the necessary 
isolation, mimicking PNI. For PE, it has allowed complete L3 ignorance 
in the L2 devices while enforcing security policies at the aggregation 
points. For an IXP it provides the necessary isolation and security 
without having an expectation of the type of L3 traffic crossing through 
the IXP.

It's true that 1Q tagging requires a configuration component, but I'd 
hesitate to call it complex. 10,000 line router configs may be long, but 
often in repetition due to configuration limitations rather than 
complex. HE's IPv6 tunnel servers are moderately more complex and have 
handled provisioning well in my experience.

Multicast was brought up as an issue, but it's not less efficient than 
if PNI had been used, and a structure could be designed to meet the 
needs of multicast when needed.


Jack

• Previous message (by thread): IXP
• Next message (by thread): IXP
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]