Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-world: clarification text

[Joe Touch <touch@isi.edu>]

On 4/20/2015 11:48 PM, Gert Doering wrote:
> Hi,
> 
> On Mon, Apr 20, 2015 at 02:28:08PM -0700, Joe Touch wrote:
>> On 4/20/2015 2:21 PM, Gert Doering wrote:
>>> On Mon, Apr 20, 2015 at 08:43:28AM -0700, Joe Touch wrote:
>>>>> If for some reasons, a router in the middle needs access to layer-4
>>>>                                               ^^^^^
>>>>> information (IPFIX? DDoS mitigation? ... ?), then the EH chain must be
>>>>> parsed which can cause a performance impact.
>>> [..]
>>>> 	1) this is the router vendor's decision, not a requirement
>>>> 	of Internet routers
>>>
>>> So, please tell me how you build an Internet router that is able to
>>> defend itself against control plane abuse and does not need to look into
>>> L4 to do so?
>>
>> A router can protect its own control plane by looking at the packet
>> contents, but then it is acting as a host at that point and should be
>> looking there only for packets addressed to interfaces of that router.
>> That's not a forwarding function and thus doesn't limit the forwarding
>> plane.
> 
> Of course, but real world requires that this filter function needs to be
> implemented in the forwarding plane, because otherwise packets would just
> saturate the link between forwarding and control plane if you would only 
> filter on "the other side".

DDOS filtering is a feature, not a requirement.

If you want to offer that as a feature, please stop complaining that
customers should expect that it runs at rate with packets that conform
to existing standards.

> From a purely academic point of view, I totally agree with you.  
> 
> Unfortunately, the Internet is not.

The Internet is also not designed to optimize your profit margins either.

Joe