On 5/12/18 21:14, Brian E Carpenter wrote: > On 2018-12-05 21:52, Gert Doering wrote: >> Hi, >> >> On Tue, Dec 04, 2018 at 10:57:43PM -0500, Christopher Morrow wrote: >>> HA! ok. As gert/nick noted ... we have Nx100G links today (at the edge) and >>> coming nx400G ... there's just not a reasonable story for "dpi" there. (I >>> suppose: "yet" and "without paying the approximate value Coca-Cola >>> Companies yearly advertising budget") >> >> Indeed. >> >> Unfortunately, there *is* a story for being able to rate-limit incoming >> crap by protocol type - "give me no more than 200 Mbit/s of UDP packets >> coming from source port 53". >> >> Which implies that as soon as the evil guys out there find a way to >> generate DDoS streams carrying EHs that our border routers will (have to) >> apply very strict rate limiting to everything they do not understand. >> >> - pass TCP >> - rate-limit UDP on well-known reflective attacks port >> - pass rest of UDP >> - rate-limit ICMP >> - rate-limit fragments >> - rate-limit all the rest to something which can never exceed a customer's >> access-link >> >> game over, EH > > Just to point out that this is equivalent to saying "game over, any new layer 4 protocol" too. For example, you just killed SCTP. And the same goes for new protocols over IPv4. Not exactly the same. If you are using a new transport protocols (*) without any EHs, you have already found the upper-layer protocol. May allow or drop, but that's it. With EHs, if you need to do packet filtering or ECMP, you need to follow the EH chain.The later (particularly if the EH) is normally going to cause issues, where the former would not. -- Fernando Gont SI6 Networks e-mail: fgont@xxxxxxxxxxxxxxx PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492