[c-nsp] routing based on destination domain - can I do that?

[Adrian Chadd]

On Tue, Jun 12, 2007, matthew zeier wrote:
> 
> I'm supposed open a remote office in China and the requirement is that 
> all domestic traffic go out ProviderA.cn and all other traffic out IPSEC 
>   tunnel to the US office.
> 
> The actual stated goal was that any domain ending in .cn go out the 
> domestic provider.  I think it would suffice if that was just for web 
> traffic.
> 
> I haven't ever run into anything like that - is there such a beast?
> 
> My best idea so far is to convince provider to send me only domestic 
> Chinese routes or failing that, build a static route table based on some 
> geo-ip database.  Seems like a hack though.

If you're looking to route just http traffic via a different provider
then you could use a web proxy like Squid or the Cisco content modules
to match on URL and do "stuff" (where "stuff" can be send to another
upstream proxy, or tag with ToS bits that your router identifies as
"send me to china!", or use a different source address only announced/
routed out the china link, etc.)

You can craft ACLs in Squid which force Squid to do reverse DNS lookups
on http/https requests (where required) so it matches it on .cn.

Although I can't help but think you really should solve this by enumerating
which networks are "china" via BGP - maybe you could ask your ProviderA
if they can provide those domestic routes. Seems sensible.



Adrian