[ipv6-wg] [v6ops] Extension Headers / Impact on Security Devices

On Wed, Jun 17, 2015 at 2:02 PM,  <sthaug at nethelp.no> wrote:
>> IMHO it's reasonable to assume that one might
>> need different hardware for "just routing" and enhanced QoS/ACL
>> services (it's a case nowadays anyway).
>
> You may feel it is reasonable. Not everybody agrees. If we compare
> with IPv4: All modern routers I know of (including high speed boxes
> with multiple 10G and 100G ports) are able to handle stateless ACLs
> based on IPv4 addresses and port numbers. The boxes with multiple
> 10G and 100G ports process these ACLs at line rate. I don't pay extra
> for this functionality - possibly because a box *without* such
> functionality would have a limited market.

[skip]

> I agree that the IPv4 packet may have options, making it variable
> length. However the length is still limited by the IHL field, which
> has a max value of 15 (60 bytes).

I'm glad you mentioned 60 bytes ;) Because there are a lot of
reasonably modern hardware around
which copies 64 bytes on-chip. Which means if you happen such hardware
in your network
and your stateless ACL have 'match tcp flags' rules, you might get
quite unexpected results processing packets with
60 bytes IPv4 header....So, while it might be perfectly fine to have
such cars in the core, I'd expect people not to install then at the
border routers
which are supposed to perform enhanced ACL services. It was my point.

So we all agree that 'variable length is OK as long as our hardware
can look deep enough'? And what people are complaining about is exact
number? Which we do not know yet for IPv6 EHs?

-- 
SY, Jen Linkova aka Furry