Ingress Filtering, Site Multihoming, and Source Address Selection

Slides:

Advertisements

Similar presentations

Advertisements

Source Address Selection in Multi-Prefix Multi-Service Network Arifumi Matsumoto NTT PF Lab.

Host Centric Multi6 Christian Huitema Architect Windows Networking & Communications Microsoft Corporation.

CSC458 Programming Assignment II: NAT Nov 7, 2014.

Internetworking II: MPLS, Security, and Traffic Engineering

TCP/IP Protocol Suite 1 Chapter 27 Upon completion you will be able to: Next Generation: IPv6 and ICMPv6 Understand the shortcomings of IPv4 Know the IPv6.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

TCOM 509 – Internet Protocols (TCP/IP) Lecture 06_b Subnetting,Supernetting, CIDR IPv6 Instructor: Dr. Li-Chuan Chen Date: 10/06/2003 Based in part upon.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

Network Localized Mobility Management using DHCP

資管 Lee Lesson 12 IPv6 Mobility. 資管 Lee Lesson Objectives Components of IPv6 mobility IPv6 mobility messages and options IPv6 mobility data structures.

Transition Mechanisms for Ipv6 Hosts and Routers RFC2893 By Michael Pfeiffer.

MPLS L3 and L2 VPNs Virtual Private Network –Connect sites of a customer over a public infrastructure Requires: –Isolation of traffic Terminology –PE,

Routing of Outgoing Packets with MP-TCP draft-handley-mptcp-routing-00 Mark Handley Costin Raiciu Marcelo Bagnulo.

2002 년 2 학기이동인터넷프로토콜 1 Mobile IP:Overview 년 2 학기이동인터넷프로토콜 2 Mobile IP overview Is Mobile IP an official standard? What problems does Mobile IP solve?

Lecture 3a Mobile IP 1. Outline How to support Internet mobility? – by Mobile IP. Our discussion will be based on IPv4 (the current version). 2.

Summary of Certification Process (part 1). IPv6 Client IPv6 packets inside IPv4 packets.

9/11/2015Home Networking1 Bob.test Have Road Runner Unhappy about reports of constant probes of machines Policy decision –I want to prevent unauthorized.

1 /160 © NOKIA 2001 MobileIPv6_Workshop2001.PPT / / Tutorial Mobile IPv6 Kan Zhigang Nokia Research Center Beijing, P.R.China

IPv6 Mobility Milo Liu SW2 R&D ZyXEL Communications, Inc.

TCP/IP Illustracted Vol1. 제목 : IP Routing ( 수 ) 한 민 규

Simple Multihoming Experiment draft-huitema-multi6-experiment-00.txt Christian Huitema, Microsoft David Kessens, Nokia.

Private Network Interconnection Chapter 20. Introduction Privacy in an internet is a major concern –Contents of datagrams that travel across the Internet.

Default Router Preferences and More-Specific Routes in RAs Richard Draves May 31, 2001 Redmond Interim IPv6 WG Meeting draft-ietf-ipngwg-router-selection-00.

IPv6 Routing Milo Liu SW2 R&D ZyXEL Communications, Inc.

GBUTtem 机密此报告仅供 NGN 实验室内部使用。未经 NGN 实验室的书面许可，其它任何机构不得擅自传阅、引用或复制。 sando 09/10/2005 Site-Multihoming over IPv6.

IP1 The Underlying Technologies. What is inside the Internet? Or What are the key underlying technologies that make it work so successfully? –Packet Switching.

1 Spring Semester 2009, Dept. of Computer Science, Technion Internet Networking recitation #7 DVMRP.

RFC 3964 Security Considerations for 6to4 Speaker: Chungyi Wang Adviser: Quincy Wu Date:

Understanding IPv6 Slide: 1 Lesson 12 IPv6 Mobility.

Introduction to Mobile IPv6

1 Requirements for Internet Routers (Gateways) and Hosts Relates to Lab 3. (Supplement) Covers the compliance requirements of Internet routers and hosts.

Ασύρματες και Κινητές Επικοινωνίες Ενότητα # 10: Mobile Network Layer: Mobile IP Διδάσκων: Βασίλειος Σύρης Τμήμα: Πληροφορικής.

Filtering Spoofed Packets Network Ingress Filtering (BCP 38) What are spoofed or forged packets? Why are they bad? How to keep them out.

IP Transitioning in CE Routers Mark Townsley, Ole Troan.

Site Multihoming for IPv6 Brian Carpenter IBM TERENA Networking Conference, Poznan, 2005.

Default Address Selection for IPv6 Richard Draves May 31, 2001 Redmond Interim IPv6 WG Meeting draft-ietf-ipngwg-default-addr-select-04.

IETF #58 in Minneapolis1 IPv6 Address Assignment and Route Selection for End-to-End Multihoming Kenji Ohira Kyoto University draft-ohira-assign-select-e2e-multihome-02.txt.

Label Distribution Protocols LDP: hop-by-hop routing RSVP-TE: explicit routing CR-LDP: another explicit routing protocol, no longer under development.

IETF #57 in Viena1 IPv6 Address Assignment and Route Selection for End-to-End Multihoming Kenji Ohira Kyoto University draft-ohira-assign-select-e2e-multihome-01.txt.

Understanding IPv6 Slide: 1 Lesson 5 ICMPv6. Understanding IPv6 Slide: 2 Lesson Objectives Purpose of ICMPv6 and the structure of all ICMPv6 messages.

1 IPv6: Address Architecture Dr. Rocky K. C. Chang 29 January, 2002.

A Fragmentation Strategy for Generic Routing Encapsulation (GRE)

Configuration for routing example

Introduction to Networks

Routing and Addressing in Next-Generation EnteRprises (RANGER)

CSC458 Programming Assignment II: NAT

Discussion on DHCPv6 Routing Configuration

Booting up on the Home Link

Default Router Preferences and More-Specific Routes in RAs

Simple Failover Mechanism for Lightweight 4over6

Homenet Architecture Discussion

End-to-end Multihoming <draft-ohta-e2e-multihoming-00.txt>

Chapter 5 The Network Layer.

Tokyo Institute of Technology

COMPUTER NETWORKS CS610 Lecture-33 Hammad Khalid Khan.

Filtering Spoofed Packets

Simple Connectivity Between InfiniBand Subnets

Introduction to Networking

Introduction to Networking

Fragmentation issues in IPv4/IPv6 translation

ECE 544 Project3 Team member: BIAO LI, BO QU, XIAO ZHANG 1 1.

An Update on Multihoming in IPv6 Report on IETF Activity

Figure 6.11 Configuration for Example 4

Lecture 4a Mobile IP 1.

Computer Networks Protocols

Review of Internet Protocols Network Layer

Chapter 4: outline 4.1 Overview of Network layer data plane

Presentation transcript:

Ingress Filtering, Site Multihoming, and Source Address Selection draft-draves-ipngwg-ingress-filtering-00 Richard Draves May 31, 2001 Redmond Interim IPv6 WG Meeting

The Problem Multi-homed site Site prefix from each ISP ISPs perform source-address-based ingress filtering Routing within site is based on destination address – egress is independent of source address. => No connectivity to some destinations.

Possible Solutions Tunneling between egress routers Simplify – sites with one link Prefix policy configuration New ICMP error

Tunneling between Egress Routers Site egress routers inspect the source address Tunnel packets to other egress router Pro – No changes in hosts Con – inefficient routing Con – requires router configuration

Sites with One Link Suppose site has one link with multiple ISP routers, Each ISP router advertises only its own prefix, Then router choice could influence source address selection if hosts remember which router advertised the prefix used to generate each address.

Discussion Pro – fairly simple change to hosts Con – limited applicability Can be generalized to site networks where each internal router only forwards towards one egress.

Prefix Policy Configuration Use prefix policy table configuration to control choice of source address for different destination prefixes. Pro – uses existing mechanism. Con – need to understand how intrasite routing partitions destination space. This partition likely not constant across time or site topology. Con – need to distribute policies to hosts. In RAs?

New ICMP Error Destination-unreachable due to source filter, supplies the required prefix. Allow list of prefixes? Host can associate this prefix with a destination address and use it to influence source address selection. Analogous to PMTU discovery Except first router should be most restrictive.

Issue – TCP interaction This doesn’t help the first packet sent to a destination. Must modify TCP to recognize this error in response to a SYN and redo source address selection.

Issue – Routing the error ISP A dst D src B1 Site A1 B1 ISP B If ISP A sends the error to B1, then it will take a circuitous route back to the host.

Error Routing Solutions Force this particular ICMP error back out incoming interface? Send the ICMP error using a routing header with an intermediate destination, which is an anycast address equal to the site prefix? Assumptions: anycast address assigned to all routers in site using site prefix convex routing within the site.

New ICMP Error w/ Routing Header Pro – like PMTU discovery, good robustness Con – like PMTU discovery, first packet is dropped Con – additional mechanism