Fred,
On 7/1/2013 3:51 PM, Templin, Fred L wrote:
You can't know that unless you parse the IPv6 header chain. And adding
>SEAL inbetween IPv6 and the inner IPv6 adds one more step to that
>chain.
The SEAL first fragment MUST contain at least 256 bytes (or up to
the end of the packet) according to the specs. If that is not large
enough to include sufficient ULP headers then the packet should
probably be dropped anyway.
>Either way, DPI has to follow the chain step-by-step, vs. in a single
>leap as with IPv4.
>
Right, but how long can those chains be and still be considered
a "realistic" IPv6 packet?
Although I agree it's important to have the header you want to examine
in the first fragment, you still need to parse the chain.
With IPv4 that's one opcode - jump based on the offset in a memory.
With IPv6, you need to run that opcode as many times as there are
headers. That's the problem. Not whether you have the header you want to
examine, but whether you can access it in a single hardware operation.
That's a problem with or without SEAL, and it's the problem that the
current discussion on intarea is trying to address.
Joe
_______________________________________________
Int-area mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/int-area
