On Fri, 7 Nov 2025 at 16:10, Marco Moock via NANOG <[email protected]> wrote:
> UDP and TCP have checksums. > Other applications have signature mechanisms to verify the data, e.g. > gpg, certificates etc. > IPsec exists which also provides such mechanisms if needed. Transit doesn't verify UDP/TCP checksum. So with IPv6 you have no way of knowing when bad memory is mangling your packets, which very likely is happening right now on some people on this very mailing list, which they could diagnose by looking at IP checksums failing for packets coming in from LSR or L2 transit to the L3 edge. Even digging up UDP/TCP from IPv6 can be very tricky, it is easy to exhaust ex Nokia FP resources and stall the CPU by stacking headers, in Juniper this doesn't happen, because Trio will eventually just discard packets with too many stacked headers. Which is problematic, as end host has no problem dealing with large stack of headers, so this can be made to evade some type of ACL, such as permy any host SMTP1 smtp, deny any any smtp. To stop residential from sending email outside approved email GW. -- ++ytti _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/[email protected]/message/ABH6D42AP2PPHJ6TNW2UCPIIA5EXIR4Y/
