On 9/3/21 19:07, Tom Herbert wrote: [...]
Yes, ACLs on transport layer ports are common requirements, however the problem arises from related requirements that arise due to the limitations of routers to be able to locate the transport layer information in a packet. An example of such an implied requirement from this draft is "don't send packets with IPv6 header chains that are too long because some routers can't parse deep enough into packets to find the transport layer ports due to implementation constraints (like limited size parsing buffer)".
You seem to be reading more from the document than what we actually said in the document.
There are no requirements in this document. We simply explain things operators need to do, what are the associated limitations in real-world devices, and what's the likely outcome.
That's not an implied requirement, but simply a description of facts.
While the rationale for the requirement may make sense, the problem, at least from the host stack perspective of trying to send packets with low probability they'll be dropped, is that a requirement that "don't IPv6 header chains that are too long" is is useless without any quantification as exactly to what "too long" might be.
"too long" for the processing device(s). You don't know what devices will process your packets, hence cannot even guess what "too long" might mean.
What you know for sure is that the longer the chain, the lower the chances of your packets surviving -- as per RFC7872.
Thanks, -- Fernando Gont SI6 Networks e-mail: fgont@xxxxxxxxxxxxxxx PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
