[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Notes about identifier - locator separator

To: Tony Li <Tony.Li@procket.com>
Subject: RE: Notes about identifier - locator separator
From: Iljitsch van Beijnum <iljitsch@muada.com>
Date: Sat, 9 Nov 2002 17:54:50 +0100 (CET)
Cc: <multi6@ops.ietf.org>
In-reply-to: <D2EC481073504E498A8DB9C0687E8CAF04D225CD@EXCHANGE0-0.na.procket.com>

On Fri, 8 Nov 2002, Tony Li wrote:

> |   Also, it should be possible to do IP layer-only filtering on the real big
> |   boxes.

> That's not a commercial possibility.

Obviously being able to do fast filtering on port numbers in big boxes
even if there are options present is preferable, and I agree that
building a box that can't filter on port numbers in the fast path isn't
a sound business decision. However, as an operator, I'd rather push my
port number filtering to the edges (where it belongs in the first place)
than open my core stuff up to DoS attacks by slowing down a lot in the
presence of IP options.

Not that there is much hardware that will do fast IPv6 anyway...

One of our collective favorite vendors (no, the other one) announced
that they could "do IPv6 forwarding in hardware after a software
upgrade, even on already deployed boxes". Interesting take on the words
"hardware" and "software". They also said that they could filter at wire
speed. I asked what would happen if the TCP or UDP segment wasn't the
first one in the protocol chain, but I'm still waiting for the answer...

> |   But it never hurts to implement all of this in the fast
> |   path, of course.  :-)

> So sayeth you.  ;-(

Where does it hurt then?

References:
- RE: Notes about identifier - locator separator
  - From: "Tony Li" <Tony.Li@procket.com>

Prev by Date: Re: SIP again
Next by Date: Re: Notes about identifier - locator separator
Previous by thread: RE: Notes about identifier - locator separator
Next by thread: Multihoming and IPv6 Multicast
Index(es):
- Date
- Thread