Hi Joe, > -----Original Message----- > From: Joe Touch [mailto:[email protected]] > Sent: Monday, July 01, 2013 4:20 PM > To: Templin, Fred L > Cc: Carlos Pignataro (cpignata); Ronald Bonica; Internet Area > Subject: Re: [Int-area] New Version Notification for draft-bonica- > intarea-gre-mtu-00.txt > > Fred, > > On 7/1/2013 3:51 PM, Templin, Fred L wrote: > >> You can't know that unless you parse the IPv6 header chain. And > adding > >> >SEAL inbetween IPv6 and the inner IPv6 adds one more step to that > >> >chain. > > The SEAL first fragment MUST contain at least 256 bytes (or up to > > the end of the packet) according to the specs. If that is not large > > enough to include sufficient ULP headers then the packet should > > probably be dropped anyway. > > > >> >Either way, DPI has to follow the chain step-by-step, vs. in a > single > >> >leap as with IPv4. > > > > Right, but how long can those chains be and still be considered > > a "realistic" IPv6 packet? > > Although I agree it's important to have the header you want to examine > in the first fragment,
Good. That means we need to set an upper bound on the maximum length of an IPv6 header chain, right? And remember, with SEAL the minimum first fragment size is 256 bytes whereas the min first-frag size for IPv6 fragment header is only 8 bytes. SEAL therefore naturally avoids an attack vector available for IPv6 frag/reass. > you still need to parse the chain. That is by design of the IPv6 protocol, and not something that can be changed now regardless of the encapsulation, right? > With IPv4 that's one opcode - jump based on the offset in a memory. Right. > With IPv6, you need to run that opcode as many times as there are > headers. That's the problem. Not whether you have the header you want > to > examine, but whether you can access it in a single hardware operation. > > That's a problem with or without SEAL, and it's the problem that the > current discussion on intarea is trying to address. Have there been any proposals? As in, is there any way to approach this without a major redesign of IPv6? I also thought that the IPv6 "quadword-aligned" requirement addressed performance. Is that not helpful? Thanks - Fred [email protected] > Joe _______________________________________________ Int-area mailing list [email protected] https://www.ietf.org/mailman/listinfo/int-area
