On 11/12/24 06:19, James Knott wrote:
I don't think that
SLI requires deep packet inspection. The destination IP
is right there where it should be. The server hostname parsing
would be
done at the destination, not at routing nodes. With SNI, DNS
serves sort
of like the router.
What about carrier grade NAT? Those routers are not at the
destination, but would still have to do SLI, if it's to work.
Also, on large networks, the router and firewall are often
separate boxes.
From my understanding SNI allows a single server at a single IPv4
address to support multiple TLS connections to different name
spaces on that one server. Assume one server supports foobar.com
and blast.org. and has configured their authoritative DNS to return
one IP address for either domain name. Thus, if the client wants
to
go to foobar.com his DNS returns one address and the name foobar.com
is embedded in the TLS handshake. The server then unpacks the TLS
dialog and sends the request to the server app serviceing
foobar.com.
If she wants to got to blast.org, DNS will return the same IP
address
as foobar.com, but embed blast.org. Thus, routers along the way
only
have to concern themselves with the one IP address.
Thus, the "routing" function is handled by DNS instead of routing
tables
in individual routers.
Regards,
Lew