Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-world: clarification text

[Gert Doering <gert@space.net>]

Hi,

On Mon, Apr 20, 2015 at 02:28:08PM -0700, Joe Touch wrote:
> On 4/20/2015 2:21 PM, Gert Doering wrote:
> > On Mon, Apr 20, 2015 at 08:43:28AM -0700, Joe Touch wrote:
> >>> If for some reasons, a router in the middle needs access to layer-4
> >>                                               ^^^^^
> >>> information (IPFIX? DDoS mitigation? ... ?), then the EH chain must be
> >>> parsed which can cause a performance impact.
> > [..]
> >> 	1) this is the router vendor's decision, not a requirement
> >> 	of Internet routers
> > 
> > So, please tell me how you build an Internet router that is able to
> > defend itself against control plane abuse and does not need to look into
> > L4 to do so?
> 
> A router can protect its own control plane by looking at the packet
> contents, but then it is acting as a host at that point and should be
> looking there only for packets addressed to interfaces of that router.
> That's not a forwarding function and thus doesn't limit the forwarding
> plane.

Of course, but real world requires that this filter function needs to be
implemented in the forwarding plane, because otherwise packets would just
saturate the link between forwarding and control plane if you would only 
filter on "the other side".

From a purely academic point of view, I totally agree with you.  

Unfortunately, the Internet is not.

Gert Doering
        -- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG                        Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14          Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                   HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444           USt-IdNr.: DE813185279