Tom,
Please take a look at Section 4.3 (Stateless Firewalls). How can the stateless
firewall behave optimally without maintaining state?
While flow labels may help in the case of load balancers, the don't help at all
in the case of stateless firewalls.
Ron
> Secondly, the only specified interaction between fragmentation and
> intermediate nodes is that routers can fragment packets in IPv4. Other than
> that, a middlebox that complies with RFC791 and RFC8200 does not process
> or consider fragmentation of packets. Given that, it's unclear to me why
> middle boxes would need to maintain state to be protocol compliant. It's
> possible that the implicit exception of the requirement is that middleboxes
> might perform "in-network reassembly"
> or "virtual reassemlby" which would require state. If that is indeed the case
> then the requirements for the mechanisms should be spelled out.
>
> For stateless load balancing (described in section 4.4), the IPv6 flow label
> obviates the need for DPI. It is sufficient to hash over the three tuple
> <saddr,
> daddr, flow label> to get good load balancing. All major OSes have been
> updated to set flow labels, and there are devices that already support this.
> IMO, the draft should make using flow label for stateless load balancing a
> SHOULD.
>
> Tom
_______________________________________________
Int-area mailing list
Int-area@ietf.org
https://www.ietf.org/mailman/listinfo/int-area
