Stewart, >> So you are arguing that we need to define ULPs that are easy for routers to >> parse? > I don't see how you would conclude that from the above. What is needed is > that whatever the parser needs to parse needs to be easy and cheap to parse.
“what’s needed” is clearly something which is very contentious. There is a reason why encryption by default is a necessity. >> At arbitrary depth? Because why would the buck stop at the UDP header when >> transport has moved one layer up? > What is the status of the flow label in practice? As I said earlier in the > thread, I know the five tuple is trusted for ECMP, but I hear very little > discussion of the flow label being a trusted source of entropy to feed the > ECMP selector. I don’t know. I hear the situation is improving. Would be great if someone with access to a large packet trace could tell us. That said, you will not always find the ports. fragmented packets, Non TCP/UDP protocols (GRE, IPinIP etc). You need to tackle that case too. At least with the flow label you would be able to ECMP correctly for a session containing both fragmented and not fragmented packets. >> As opposed to the 6man argument which is that IPv6 is explicitly designed to >> only require routers to need to process the first 40 bytes (with the one >> exception hook). >> And the design of EHs is specifically done to make it hard to parse for >> intermediate devices… > That seems a fundamentally bad idea. Why would you go out of your way to make > something difficult when you never know what path future protocol development > will take you? It was a value desicion. Any time the network starts to dwelve deeply into packets that prohibits innovation and end to end transparency. Of course it wasn’t a perfect solution. Encryption is the only thing that can “solve” it properly. >> Is that really the Internet we want? Of course it will be countered with >> encryption, but I foresee a raft of problems if the IETF as a whole would >> redefine the “formal Internet architecture”. > I think I have been describing the Internet architecture as it exists today > regardless of the what the RFCs say. Sure. But I think the IETF’s signal effect is quite important. And we are doing quite a bit to rectify the current state. If everything is encrypted. Sure, you might have a UDP header to do ECMP on, but you would need other indicators to detect attack traffic. Cheers, Ole _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
