On 11/12/24 06:19, James Knott wrote:
I don't think that SLI requires deep packet inspection. The destination IP is right there where it should be. The server hostname parsing would be done at the destination, not at routing nodes. With SNI, DNS serves sort of like the router.
What about carrier grade NAT? Those routers are not at the destination, but would still have to do SLI, if it's to work. Also, on large networks, the router and firewall are often separate boxes.
From my understanding SNI allows a single server at a single IPv4 address to support multiple TLS connections to different name spaces on that one server. Assume one server supports foobar.com and blast.org. and has configured their authoritative DNS to return one IP address for either domain name. Thus, if the client wants to go to foobar.com his DNS returns one address and the name foobar.com is embedded in the TLS handshake. The server then unpacks the TLS dialog and sends the request to the server app serviceing foobar.com. If she wants to got to blast.org, DNS will return the same IP address as foobar.com, but embed blast.org. Thus, routers along the way only have to concern themselves with the one IP address. Thus, the "routing" function is handled by DNS instead of routing tables in individual routers. Regards, Lew