Valdis.Kletnieks@vt.edu wrote:
On Thu, 31 May 2007 18:40:42 BST, Jeroen Massar said:
When you have a large company, the company is also split over several administrative sites, in some cases you might have a single administrative group covering several sites though, this allows you to provide them with a single /48 as they are one group they will know how to properly divide that address space up.
Works great, until you realize that for traffic engineering purposes, you really want to announce your Los Angeles site at an exchange near there, and your London site to be announced near there, and you end up wondering whether deaggregating the /48, or getting a second/third /48 would be wiser.. ;)
Yes, that is indeed one of the many problems that come associated with getting a huge /32. You are supposed to announce that at in one aggregated chunk... At the moment you end up announcing chunks of the /48 to the local area and backhauling traffic from one site to another. The option for getting a separate /48 per site is then very tempting I guess. Unless you have a 10k or so of those sites... Firewall-wise having one big chunk is of course very interesting as you only need 1 ACL. Then again, do you trust everybody in your company? :) I guess that a different way of authentication, eg using authenticated packets (IPSEC AH) will become more and more common. One part missing there is a "Token" which can be added though, eg you have a local Authority which says "I allow X to send packet from Y to Z", take that token and attach it to packets. Firewalls trust the Authority and thus allow those packets through. Accidentally this is similar to something that came up in the DTN meeting last week. This is something that needs to be solved with a magic new routing mechanism though, like a lot of other things. Greets, Jeroen