On Mon, Jun 3, 2013 at 11:59 PM, Vízdal Aleš <[email protected]>wrote:
> > If I am reading this correctly, in the end this is riven by the fact > that existing boxes > > can easily filter on addresses (although it will take a lot of filters), > but can not apply > > ACLs to DSCPs or extension headers? > > The current boxes can do both ACL filtering as well as DSCP mangling, but > as mentioned > earlier the DSCP bits cannot be trusted, so a markdown/re-marking is > required potentially > involving DPI. Maintaining ACLs is also time consuming. > I don't understand what the difference is. Why can the addresses be trusted? Answer - because you drop packets if the host uses the wrong address. But all the space is routed to the user anyway, and the semantic bits only express semantics, right? Therefore you can't use routing or RPF to implement the drops, and you have to use an ACL. So if you have to use an ACL to do this anyway, then why can't you make the ACL drop packets if the host uses the wrong DSCP codepoint? That way you don't need to use extra address space.
-------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
