> The caveat to this is that intermediate devices may also need to parse > packets but not necessarily participate in the protocol control plane. > Consider a stateless firewall that parses LISP packets to filter on > encapsulated IP destination address. If the P-bit is implemented in > the end hosts, but we've neglected to update all the firewalls in the > path-- the packet will be misinterpreted if say the firewall sees a > LISP packet with an encapsulated Ethernet frame. In this case, > hopefully the firewall will drop the packet, but there's no guarantee > of that-- the behavior is non-deterministic. Maintaining compatibility > with such devices is a hard problem and might imply constraints on new > options that could fundamental change parsing or interpretation of the > packet (adding protocol type is a good example case).
I think your point here is (and if I interpreted incorrectly, I'll make a new point then), that if the encapsulated packet is L3 or L2 and described with a port number versus a bit in the payload after the UDP header, it would be easier for firewalls to decide when to filter one versus the other? Dino _______________________________________________ nvo3 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nvo3
