Hi Pekka,
By 'goes through', do you also intermediate routers which are do not
need to process the routing header in any way (i.e.: are never in
"Destination Address" field of the routing header)?
If yes, this would require punting packets from hardware forwarding to
the control processor which is IMHO a non-starter.
Having a background on ASIC design for packet forwarding, I believe
that is exactly what is done for packets that need to be processed in
some exceptional behavior. Its a very very normal case. The other case
is to process the packets in the embedded processors, using some
firmware.
Can you explain why the above design is a non-starter?
Thanks,
Vishwas
On 6/3/07, Pekka Savola <[EMAIL PROTECTED]> wrote:
On Sun, 3 Jun 2007, Vishwas Manral wrote:
> The idea is that for every router the packet goes through, we need to
> check the IP address of all the interface addresses, and make sure
> that the none of the interface address either before or after in the
> source routing header match any of the IP address of the packet.
Not sure whether this is worth doing in the first place, but just to
get the story straight:
By 'goes through', do you also intermediate routers which are do not
need to process the routing header in any way (i.e.: are never in
"Destination Address" field of the routing header)?
If yes, this would require punting packets from hardware forwarding to
the control processor which is IMHO a non-starter.
> Yes RPF check could be helpful too. But I am unsure how it would
> behave in case of ECMP other other anomaly cases.
Maybe Jeroen meant to refer to ingress/egress filtering in general,
not just uRPF. Strict uRPF is usually applied around the edges of the
network (where the size and definion of 'network' varies). Other
kinds of ingress/egress ACLs (usually static / automatically generated
ones) can be better applied at peering/upstream/etc. borders. Having
such ACLs prevents almost all RH0 looping abuse. (There is a scenario
Gert Döring mentioned where you loop between backbone routers within
the target organization but that can be eliminated by disabling RH0
processing in that organization's routers' control plane).
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
--------------------------------------------------------------------
IETF IPv6 working group mailing list
[email protected]
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
