On 05/12/2018 17:57, Ole Troan wrote:
Chained EHs are a relict from a time when everybody was nice and
cooperative, bandwith was sparse, routers used CPUs to forward packets,
and money came from governments to research networks in huge amounts.
[..]
This is the exact reason we have layering in the Internet protocols.
IPv6 routers are not meant to parse further into packets then the IPv6 header (with one exception (1)).
That network devices find it hard to parse deep into user???s traffic is a feature.
I find the argument that we should then change upper layer protocols to accommodate that, hard to digest.
Ole, you've worked for a vendor long enough, and understand terms like
"rate limiting" and "hardware”.
You are creating the “perceived” security problem yourself, by requiring processing deeper into the packet than is required.
Just comply with RFC8200. As long as a router is not configured to process any HBH options, it can ignore the header.
You seem to think HBH still means “punt to software”. If it ever meant that.
There’s no need for rate-limiting for not processing HBH obviously.
Of course it still needs to step through them all to do ECMP even if
they are all disabled. Of course here it is only looking for two values
(TCP or UDP).
If it has to look at any it has a much more complex set of tests, or a
large vector table given the way the EH space is fragmented.
Stewart
Cheers,
Ole