Ingress Filtering, Site Multihoming, and Source Address Selection

1
Ingress Filtering, Site Multihoming,and Source
Address Selection
draft-draves-ipngwg-ingress-filtering-00

• Richard DravesMay 31, 2001
• Redmond Interim IPv6 WG Meeting

2
The Problem

• Multi-homed site
• Site prefix from each ISP
• ISPs perform source-address-based ingress
  filtering
• Routing within site is based on destination
  address egress is independent of source
  address.
• gt No connectivity to some destinations.

3
Possible Solutions

• Tunneling between egress routers
• Simplify sites with one link
• Prefix policy configuration
• New ICMP error

4
Tunneling between Egress Routers

• Site egress routers inspect the source address
• Tunnel packets to other egress router
• Pro No changes in hosts
• Con inefficient routing
• Con requires router configuration

5
Sites with One Link

• Suppose site has one link with multiple ISP
  routers,
• Each ISP router advertises only its own prefix,
• Then router choice could influence source address
  selection if hosts remember which router
  advertised the prefix used to generate each
  address.

6
Discussion

• Pro fairly simple change to hosts
• Con limited applicability
• Can be generalized to site networks where each
  internal router only forwards towards one egress.

7
Prefix Policy Configuration

• Use prefix policy table configuration to control
  choice of source address for different
  destination prefixes.
• Pro uses existing mechanism.
• Con need to understand how intrasite routing
  partitions destination space.
• This partition likely not constant across time or
  site topology.
• Con need to distribute policies to hosts.
• In RAs?

8
New ICMP Error

• Destination-unreachable due to source
  filter,supplies the required prefix.
• Allow list of prefixes?
• Host can associate this prefix with a destination
  address and use it to influence source address
  selection.
• Analogous to PMTU discovery
• Except first router should be most restrictive.

9
Issue TCP interaction

• This doesnt help the first packet sent to a
  destination.
• Must modify TCP to recognize this error in
  response to a SYN and redo source address
  selection.

10
Issue Routing the error
ISP A
dst Dsrc B1
Site
A1 B1
ISP B

• If ISP A sends the error to B1, then it will take
  a circuitous route back to the host.

11
Error Routing Solutions

• Force this particular ICMP error back out
  incoming interface?
• Send the ICMP error using a routing header with
  an intermediate destination, which is an anycast
  address equal to the site prefix?
• Assumptions
• anycast address assigned to all routers in site
  using site prefix
• convex routing within the site.

12
New ICMP Error w/ Routing Header

• Pro like PMTU discovery, good robustness
• Con like PMTU discovery, first packet is
  dropped
• Con additional mechanism