Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-world: clarification text

[Mark ZZZ Smith <markzzzsmith@yahoo.com.au>]

      From: Joe Touch <touch@isi.edu>
 To: Gert Doering <gert@space.net> 
Cc: "v6ops@ietf.org" <v6ops@ietf.org>; Merike Kaeo <merike@doubleshotsecurity.com>; "draft-gont-v6ops-ipv6-ehs-in-real-world@tools.ietf.org" <draft-gont-v6ops-ipv6-ehs-in-real-world@tools.ietf.org>; Fernando Gont <fgont@si6networks.com> 
 Sent: Tuesday, 21 April 2015, 7:28
 Subject: Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-world: clarification text
   


On 4/20/2015 2:21 PM, Gert Doering wrote:
> Hi,
> 
> On Mon, Apr 20, 2015 at 08:43:28AM -0700, Joe Touch wrote:
>>> If for some reasons, a router in the middle needs access to layer-4
>>                                              ^^^^^
>>> information (IPFIX? DDoS mitigation? ... ?), then the EH chain must be
>>> parsed which can cause a performance impact.
> [..]
>>     1) this is the router vendor's decision, not a requirement
>>     of Internet routers
> 
> So, please tell me how you build an Internet router that is able to
> defend itself against control plane abuse and does not need to look into
> L4 to do so?

A router can protect its own control plane by looking at the packet
contents, but then it is acting as a host at that point and should be
looking there only for packets addressed to interfaces of that router.
That's not a forwarding function and thus doesn't limit the forwarding
plane.

/ I agree with this. It is easy to forget that a "router" is in actually a packet router at the forwarding plane and a host at the control plane.

It is not a requirement that one router protect the control planes of
other routers from abuse. That is a feature - and if you want to sell
that as a feature, your device should support doing so at rate.


 

Joe


_______________________________________________
v6ops mailing list
v6ops@ietf.org
https://www.ietf.org/mailman/listinfo/v6ops