This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[address-policy-wg] Re: [ipv6-wg] Re: Andre's guide to fix IPv6
- Previous message (by thread): [address-policy-wg] Re: Andre's guide to fix IPv6
- Next message (by thread): [address-policy-wg] Re: Andre's guide to fix IPv6
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Kurt Erik Lindqvist
kurtis at kurtis.pp.se
Mon Nov 28 09:04:26 CET 2005
(deleted address-policy-wg from the cc:) On 26 nov 2005, at 16.00, Florian Weimer wrote: > >>> 2. Drop the Flow Label and Next Header fields from the IPv6 header. >> >> Next Header is required or how else do you know what follows the IPv6 >> header? Or do you only want to do TCP? What about UDP,SCTP and many >> other headers (for IPv6 in IPv6, IPv4 in IPv6, IPSEC etc). > > IPv6 was designed for ACL-free software forwarding. This is not what > we need today. Real routers must be able to access some layer 4 > information. > > A better header would do away with any layer 3 options or option > replacement. It would consist of 7 64-bit words. The first word > contains the IP protocol version number, a hop counter (not a TTL, > because it can be spoofed), and a bidirectional next-layer protocol > identifier (protocol number plus some optional data that is indepedent > of the direction of the packet flow and constant for a given > "connection"). You can include some bits for QoS if you want, but I'm > not sure if this makes sense. This is the first word. > > After that, the source and destination address follow (two words > each). The remaining two remaining words are the next-layer source > and destination address identifier (think port number, but you can put > some additional cookie in there to make blind spoofing harder). > > In order to create a reflexive ACL entry, a router would zap the > header flags and the hop count (which are ignored during matching > anyway) and swap the source and destination addresses. No more > upgrades so that you can filter still-a-bit=obscure protocols such as > SCTP. > > Of course, a discussion about header layout is a bit pointless. But > it is still a bit unfortunate that a protocol header explicitly > designed for efficient forwarding does not come anywhere near that > goal. So AFAIK the state of the art routers does 40G line-rate deep-packet inspection with any pattern matching. So remind me again what the problem is? Price? Sure, that is a question of demand and volume production... When MPLS was new I remember being told by vendors that it was the only way we could forward IPv4 at 10G line-rate. Go figure. - kurtis -
- Previous message (by thread): [address-policy-wg] Re: Andre's guide to fix IPv6
- Next message (by thread): [address-policy-wg] Re: Andre's guide to fix IPv6
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]