[Freeipa-devel] A new proopsal for Location Based Discovery

[Adam Tkac]

On Tue, Jan 22, 2013 at 07:33:53PM -0500, Simo Sorce wrote:
> On Tue, 2013-01-22 at 17:46 +0100, Adam Tkac wrote:
> > On Tue, Jan 22, 2013 at 11:19:30AM -0500, Simo Sorce wrote:
> > > On Tue, 2013-01-22 at 17:02 +0100, Adam Tkac wrote:
> > > > On Tue, Jan 22, 2013 at 10:25:21AM -0500, Simo Sorce wrote:
> > > > > On Tue, 2013-01-22 at 16:18 +0100, Adam Tkac wrote:
> > > > > > Before we start talking about using DNS for this purpose, have you
> > > > > > considered
> > > > > > to use IP anycast for this? You can simply create multiple servers
> > > > > > with same IP
> > > > > > address on different places over the world. After that you announce
> > > > > > this IP
> > > > > > address from multiple places simultaneounsly via BGP and BGP
> > > > > > automatically
> > > > > > routes all clients to the closest node. Advantage is that this is
> > > > > > already
> > > > > > implemented, used and nothing have to be modified.
> > > > > > 
> > > > > > Regards, Adam
> > > > > > 
> > > > > We cannot assume our customers can influence or have access to change
> > > > > BGP routing, so I excluded multicast solutions from the get go.
> > > > > Also it requires more changes on the clients which is another heavy
> > > > > minus.
> > > > 
> > > > If I understand correctly, target customers of IPA are companies and they use
> > > > IPA to maintain resources in their internal networks, aren't they?
> > > > 
> > > > In this case I see two basic solutions how to solve the "location" issue.
> > > > 
> > > > 1. BGP routing between multiple internal networks
> > > 
> > > Sorry Adam, I do not want to be dismissive, and I know that in an ideal
> > > world this would be an awesome solution.
> > > 
> > > Just trust me that for most cases asking someone to change their network
> > > architecture is simply impossible.
> > 
> > This is definitely right.
> > 
> > However please read my previous post - I don't propose to change network
> > architecture. Do you how to interconnect multiple networks without routers?
> > I don't. So routers are already present in customer's networks. It can be even
> > static routing, not BGP, and admin can simply set rule on router which physical
> > server clients should use.
> > 
> > > We have users telling us their network admins don't even want change
> > > firewall configurations in some cases, so you can well see how they
> > > would respond to someone asking them to change their routing or enabling
> > > and using multicast.
> > 
> > I think it's same amount of work to add record to DNS or to add record to the
> > static or dynamic routing tables.
> 
> Adding a record to a DNS server is quite different from changing routing
> and starting routing multicast packets.

Please note anycast != multicast. Anycast is unicast so no multicast is
involved.

> > > Sorry but it simply is not a solution we can consider. 
> > 
> > Why? Which setup cannot be achieved with routing configuration and can be achieved
> > with location information in DNS?
> 
> Queries from clients behind a VPN that doesn't do multicast ?
> 
> In general multicast cannot be assumed to be available/configured.
> 
> And it requires support in clients as well as services.
> 
> Also 'location' doesn't mean necessarily 'local'.
> 
> My client in NYC may be configured to be bound to servers in Boston for
> whatever administrative reason. Boston is in no way local to me but is
> my 'location'. How do you deliver that information in a schema like the
> one you had in mind ?

This is not possible with my anycast proposal. Thanks for explanation, I just
didn't imagine which schema cannot be configured on routing level and this is
the one.

Regards, Adam

-- 
Adam Tkac, Red Hat, Inc.