On 5/5/2011 11:39 AM, Danny McPherson wrote:
On May 5, 2011, at 9:43 AM, David Miller wrote:
In a properly functioning system - folks that consume the service don't need to know which node they are utilizing. Right, it doesn't matter IF things are functioning properly. If they're not, however...
IF things are not functioning properly and the operator of the service is depending on end consumers of the service to notify them of which node is malfunctioning, then it is time for the operator of the service to go back to the drawing board and improve their monitoring and failure resolution systems.
Providing the capability for well behaved customers to select/prefer a particular node over another would also allow evildoers to select/prefer a particular node over others - thereby increasing the attack surface of this node, yes? This isn't expressly about the capability to allow consumers to select one node of another, it's about transparency in which nodes they're using being visible in the control plane - there's no indication of that today.
...but it *is* expressly about selection of nodes... From the Introduction of - http://tools.ietf.org/html/draft-ietf-grow-unique-origin-as-00.txt : "Furthermore, control plane discriminators should exist to enable operators to know toward which of a given set of instances a query is being directed, and to enable detection and alerting capabilities when this changes. Such discriminators may also be employed to enable anycast node preference or filtering keys, should local operational policy require it."
As for attack surface expanse, no. You could largely already accomplish something of this sort today in the elements of the forwarding path you influence if you were an evildoer aiming to do such a thing.
I disagree (see above). -DM