Hi Pekka/ A+,
The packets you want to rate limit are the one addressed to the router that include a RH0, not the one that are flowing through (dst address of IPv6 packet is not one of the router), right ?
Its slightly more complicated. By checking only at the destination addresses, we reduce attacks, except for the case where someone knows intricate details of IP routing. By checking in all nodes, we further reduce the probability of all such attacks. If as Pekka said we do not want to process the packet on all intermediate nodes, we could as well only process the packet at the destination.
Pekka I agree with your sentiment regarding the below.
As an operator, I do not wish to buy routers that are DoS'able or whose control processor CPU resources can be wasted on inspecting transiting traffic. "Punting packets to the slow path" is one primary thing that a high-speed router should not have to do. I think I'm not alone in the operator field with this sentiment.
My aim has been to try and salvage the functionality present in the RH0 header, without having to still deal with the attacks. The router is not DoS'able as streams to the CPU can be ratelimited. I had pointed out checks that can reduce the kind of problems that have been discussed on the list. If the same checks can be done in the hardware/ embedded processors that would be ok too. Thanks, Vishwas On 6/4/07, Pekka Savola <[EMAIL PROTECTED]> wrote:
On Mon, 4 Jun 2007, Vishwas Manral wrote: >> By 'goes through', do you also intermediate routers which are do not >> need to process the routing header in any way (i.e.: are never in >> "Destination Address" field of the routing header)? >> >> If yes, this would require punting packets from hardware forwarding to >> the control processor which is IMHO a non-starter. > > Having a background on ASIC design for packet forwarding, I believe > that is exactly what is done for packets that need to be processed in > some exceptional behavior. Its a very very normal case. The other case > is to process the packets in the embedded processors, using some > firmware. > > Can you explain why the above design is a non-starter? As an operator, I do not wish to buy routers that are DoS'able or whose control processor CPU resources can be wasted on inspecting transiting traffic. "Punting packets to the slow path" is one primary thing that a high-speed router should not have to do. I think I'm not alone in the operator field with this sentiment. Oh yeah, hop-by-hop extension header should be retired as well :-) -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
-------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
