Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-world: clarification text

[Jeroen Massar <jeroen@massar.ch>]

On 2015-04-22 09:12, sthaug@nethelp.no wrote:
>> So I wasn't naively asking those questions, I know what the answers were likely to be.
>> What I'd really like is for people to actually say what they want, which I think is an Internet with packets that look like
>> [IPv6 Fixed Hdr][TCP Hdr], total size <= 1280[IPv6 Fixed Hdr][UDP Hdr], total size <= 1280
>> and that is it.
>> The consequence would be to deprecate many existing protocols and making them work over fragment unnecessary TCP or UDP.
> 
> I see no reason to deprecate IPv6 EHs. But I need 
> 
>  [IPv6 Fixed Hdr] + [IPv6 EHs] + [L4 Hdr] <= hardware inspection limit
> 
> in order for the router hardware to be able to filter based on TCP/UDP
> headers at line rate.

The nasty answer to such a statement is: increase your hardware
inspection limit.


But the easier one, that works today is that very likely your DNS
servers recursing IP space is dedicated.

Hence, any packet headed toward those addresses is "private" and should
not get an answer.

Thus, instead of doing filtering on L4, why not just not route those
packets at all (L3)? Don't even have to firewall it.


My printer for instance has a nice global address, but as the border
router does not forward packets from $internet to $printer-net, a
traceroute or anything else ends up in a simple !N.

No per-port inspection needed, just plain old good routing.



Btw, does your hardware-load-balancer inspect ICMPv6 to do stateless
flow routing for ICMPv6 errors to the correct host? Or are you also just
fumbling with ICMPv6 PTBs like Amazon (+NetFlix) & Google?

Greets,
 Jeroen