This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[ipv6-wg] [v6ops] Extension Headers / Impact on Security Devices
- Previous message (by thread): [ipv6-wg] [v6ops] Extension Headers / Impact on Security Devices
- Next message (by thread): [ipv6-wg] [v6ops] Extension Headers / Impact on Security Devices
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Jen Linkova
furry13 at gmail.com
Wed Jun 17 15:22:27 CEST 2015
On Wed, Jun 17, 2015 at 2:02 PM, <sthaug at nethelp.no> wrote: >> IMHO it's reasonable to assume that one might >> need different hardware for "just routing" and enhanced QoS/ACL >> services (it's a case nowadays anyway). > > You may feel it is reasonable. Not everybody agrees. If we compare > with IPv4: All modern routers I know of (including high speed boxes > with multiple 10G and 100G ports) are able to handle stateless ACLs > based on IPv4 addresses and port numbers. The boxes with multiple > 10G and 100G ports process these ACLs at line rate. I don't pay extra > for this functionality - possibly because a box *without* such > functionality would have a limited market. [skip] > I agree that the IPv4 packet may have options, making it variable > length. However the length is still limited by the IHL field, which > has a max value of 15 (60 bytes). I'm glad you mentioned 60 bytes ;) Because there are a lot of reasonably modern hardware around which copies 64 bytes on-chip. Which means if you happen such hardware in your network and your stateless ACL have 'match tcp flags' rules, you might get quite unexpected results processing packets with 60 bytes IPv4 header....So, while it might be perfectly fine to have such cars in the core, I'd expect people not to install then at the border routers which are supposed to perform enhanced ACL services. It was my point. So we all agree that 'variable length is OK as long as our hardware can look deep enough'? And what people are complaining about is exact number? Which we do not know yet for IPv6 EHs? -- SY, Jen Linkova aka Furry
- Previous message (by thread): [ipv6-wg] [v6ops] Extension Headers / Impact on Security Devices
- Next message (by thread): [ipv6-wg] [v6ops] Extension Headers / Impact on Security Devices
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ ipv6-wg Archives ]