ECMP [Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 2018-12-06 07:08, Stewart Bryant wrote:
> 
> 
> On 05/12/2018 17:57, Ole Troan wrote:
>>>>> Chained EHs are a relict from a time when everybody was nice and
>>>>> cooperative, bandwith was sparse, routers used CPUs to forward packets,
>>>>> and money came from governments to research networks in huge amounts.
>>> [..]
>>>> This is the exact reason we have layering in the Internet protocols.
>>>> IPv6 routers are not meant to parse further into packets then the IPv6 header (with one exception (1)).
>>>>
>>>> That network devices find it hard to parse deep into user???s traffic is a feature.
>>>> I find the argument that we should then change upper layer protocols to accommodate that, hard to digest.
>>> Ole, you've worked for a vendor long enough, and understand terms like
>>> "rate limiting" and "hardware”.
>> You are creating the “perceived” security problem yourself, by requiring processing deeper into the packet than is required.
>> Just comply with RFC8200. As long as a router is not configured to process any HBH options, it can ignore the header.
>> You seem to think HBH still means “punt to software”. If it ever meant that.
>>
>> There’s no need for rate-limiting for not processing HBH obviously.
> Of course it still needs to step through them all to do ECMP even if 
> they are all disabled. 

No it doesn't. That's what the flow label, in a fixed position early in the IPv6 header, is for. A line speed IPv6 router has no need to look at the layer 4 header, even if it's doing both diffserv and ECMP. Looking at transport headers is an IPv4 concept.

The topic here is not really IPv6 routers. It's devices whose job in life includes filtering. They might also be routers.

> Of course here it is only looking for two values 
> (TCP or UDP).

You too just killed SCTP ;-)

> If it has to look at any it has a much more complex set of tests, or a 
> large vector table  given the way the EH space is fragmented.

Frankly doing it without a network processor seems wrong. You can't expect
an ASIC or FPGA based device to handle the EH structures.

    Brian
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux