Re: What to improve? BCP-38/SAC-004 anyone?
Jared Mauch <jared@puck.nether.net> Thu, 31 December 2015 19:36 UTC
Return-Path: <jared@puck.nether.net>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 47FC91A8A59 for <ietf@ietfa.amsl.com>; Thu, 31 Dec 2015 11:36:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.912
X-Spam-Level:
X-Spam-Status: No, score=-1.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vrOHAEuW0w-h for <ietf@ietfa.amsl.com>; Thu, 31 Dec 2015 11:36:50 -0800 (PST)
Received: from puck.nether.net (puck.nether.net [IPv6:2001:418:3f4::5]) by ietfa.amsl.com (Postfix) with ESMTP id DB53A1A8A58 for <ietf@ietf.org>; Thu, 31 Dec 2015 11:36:50 -0800 (PST)
Received: from [IPv6:2601:401:3:6a00:d541:7674:527b:16ca] (unknown [IPv6:2601:401:3:6a00:d541:7674:527b:16ca]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by puck.nether.net (Postfix) with ESMTPSA id 4832054054E; Thu, 31 Dec 2015 14:36:48 -0500 (EST)
Subject: Re: What to improve? BCP-38/SAC-004 anyone?
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
Content-Type: text/plain; charset="utf-8"
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <568579FB.6030702@gmail.com>
Date: Thu, 31 Dec 2015 14:36:47 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <DE81772E-22BA-45CE-A1B8-9E1BB34C0460@puck.nether.net>
References: <7664F94E-F7A6-4556-B1E6-2DE536A7B7FC@frobbit.se> <5684FCDB.7010009@mnt.se> <A074CA07-691E-41A7-B1D7-33F4ECBED5A9@puck.nether.net> <568579FB.6030702@gmail.com>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
X-Mailer: Apple Mail (2.3112)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/h-EFN0cqUUSoEM96FW01uhpq5bw>
Cc: ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Dec 2015 19:36:52 -0000
> On Dec 31, 2015, at 1:54 PM, Brian E Carpenter <brian.e.carpenter@gmail.com> wrote: > > On 01/01/2016 06:04, Jared Mauch wrote: > ... >> The reason we (as an operator) can’t use BCP-38 is the vendor hardware can’t do it at line-rate and the performance hit is too much to sustain. > > That seems worth a bit more discussion. I'd always naively assumed that BCP38 was > scalable since all it appears to need is a prefix match, and routers are very > good at matching prefixes; it's just that they don't normally match the source > prefix. Could some router-vendor person comment on this? The problem is you have to lookup on the SRC part of packet in addition with DST part. These are now two lookups in the forwarding path. Then you have to decide the policy (drop|pass|count). I’ve told vendors I’d like to be able to remark packets that are a lookup miss. This means I can easier count/track them in flow data, etc. But for the small percentage of spoofed packets, the cost on the rest is so high when we are often PPS limited on even the largest routers. The 40-byte packet benchmark of the late 90s isn’t seen today. > There's another issue here, though. BCP-38 and uRPF are also a potential cause of > connectivity problems: https://tools.ietf.org/html/draft-ietf-6man-multi-homed-host Yes, this is a problem, there’s no good way to communicate the “feasible paths” policy amongst all the devices involved. Knowing what’s connected or downstream to me is easy, knowing 1 hop away gets much harder and increases with each node/edge traversed. - Jared
- What to improve? BCP-38/SAC-004 anyone? Patrik Fältström
- Re: What to improve? BCP-38/SAC-004 anyone? Leif Johansson
- Re: What to improve? BCP-38/SAC-004 anyone? tom p.
- Re: What to improve? BCP-38/SAC-004 anyone? Patrik Fältström
- Re: What to improve? BCP-38/SAC-004 anyone? Kathleen Moriarty
- Re: What to improve? BCP-38/SAC-004 anyone? Jared Mauch
- Re: What to improve? BCP-38/SAC-004 anyone? Leif Johansson
- Re: What to improve? BCP-38/SAC-004 anyone? Jared Mauch
- Re: What to improve? BCP-38/SAC-004 anyone? joel jaeggli
- Re: What to improve? BCP-38/SAC-004 anyone? Steve Crocker
- Re: What to improve? BCP-38/SAC-004 anyone? Brian E Carpenter
- Re: What to improve? BCP-38/SAC-004 anyone? joel jaeggli
- Re: What to improve? BCP-38/SAC-004 anyone? Jared Mauch
- Re: What to improve? BCP-38/SAC-004 anyone? John Levine
- Re: What to improve? BCP-38/SAC-004 anyone? Jared Mauch
- Re: What to improve? BCP-38/SAC-004 anyone? Michael Richardson
- Re: What to improve? BCP-38/SAC-004 anyone? Michael Richardson
- Re: What to improve? BCP-38/SAC-004 anyone? Michael Richardson
- Re: What to improve? BCP-38/SAC-004 anyone? Jared Mauch
- Re: What to improve? BCP-38/SAC-004 anyone? Jared Mauch
- Re: What to improve? BCP-38/SAC-004 anyone? Patrik Fältström
- Re: What to improve? BCP-38/SAC-004 anyone? Randy Bush
- Re: What to improve? BCP-38/SAC-004 anyone? Patrik Fältström
- RE: What to improve? BCP-38/SAC-004 anyone? Christian Huitema
- Re: What to improve? BCP-38/SAC-004 anyone? John Levine
- Re: What to improve? BCP-38/SAC-004 anyone? Jari Arkko
- Re: What to improve? BCP-38/SAC-004 anyone? Donald Eastlake
- Re: What to improve? BCP-38/SAC-004 anyone? Jim Gettys
- Re: Fwd: What to improve? BCP-38/SAC-004 anyone? dave taht
- Re: What to improve? BCP-38/SAC-004 anyone? George, Wes