[address-policy-wg] Re: [ipv6-wg] Re: Andre's guide to fix IPv6
- Previous message (by thread): [address-policy-wg] Re: Andre's guide to fix IPv6
- Next message (by thread): [address-policy-wg] Re: Andre's guide to fix IPv6
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Kurt Erik Lindqvist
kurtis at kurtis.pp.se
Mon Nov 28 09:04:26 CET 2005
(deleted address-policy-wg from the cc:) On 26 nov 2005, at 16.00, Florian Weimer wrote: > >>> 2. Drop the Flow Label and Next Header fields from the IPv6 header. >> >> Next Header is required or how else do you know what follows the IPv6 >> header? Or do you only want to do TCP? What about UDP,SCTP and many >> other headers (for IPv6 in IPv6, IPv4 in IPv6, IPSEC etc). > > IPv6 was designed for ACL-free software forwarding. This is not what > we need today. Real routers must be able to access some layer 4 > information. > > A better header would do away with any layer 3 options or option > replacement. It would consist of 7 64-bit words. The first word > contains the IP protocol version number, a hop counter (not a TTL, > because it can be spoofed), and a bidirectional next-layer protocol > identifier (protocol number plus some optional data that is indepedent > of the direction of the packet flow and constant for a given > "connection"). You can include some bits for QoS if you want, but I'm > not sure if this makes sense. This is the first word. > > After that, the source and destination address follow (two words > each). The remaining two remaining words are the next-layer source > and destination address identifier (think port number, but you can put > some additional cookie in there to make blind spoofing harder). > > In order to create a reflexive ACL entry, a router would zap the > header flags and the hop count (which are ignored during matching > anyway) and swap the source and destination addresses. No more > upgrades so that you can filter still-a-bit=obscure protocols such as > SCTP. > > Of course, a discussion about header layout is a bit pointless. But > it is still a bit unfortunate that a protocol header explicitly > designed for efficient forwarding does not come anywhere near that > goal. So AFAIK the state of the art routers does 40G line-rate deep-packet inspection with any pattern matching. So remind me again what the problem is? Price? Sure, that is a question of demand and volume production... When MPLS was new I remember being told by vendors that it was the only way we could forward IPv4 at 10G line-rate. Go figure. - kurtis -
- Previous message (by thread): [address-policy-wg] Re: Andre's guide to fix IPv6
- Next message (by thread): [address-policy-wg] Re: Andre's guide to fix IPv6
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]