Cisco 7600 PFC3B(XL) and IPv6 packets with fragmentation header
Saku Ytti
saku at ytti.fi
Fri Sep 30 15:08:08 UTC 2011
On (2011-09-30 10:45 -0400), Christopher Morrow wrote:
> after this long, yes... this is just dumb, there's no reason that the
> default should be punt. There are cases (you've brought up a few)
> where it's required today because of design limitations, there really
> shouldn't be cases like this anymore. this isn't our first rodeo,
> 'lessons learned' and all that...
Certainly possible, but will you pay the premium? I won't. To implement IPv6
according to standard your lookup engine needs to have MTU wide view, so up-to
65kB. Most common view today probably is 64B and highest I know 256B.
And for the corner cases where this isn't enough, I'm happy to handle it in
software, rather than pay premium to do it all in hardware.
> traceroute could certainly be handled in the fastpath.
Yup. But again who would pay for this? I cannot be dossed by TTL exceeds as
there is sufficient protetion mechanism in my hardware. So I would not pay
premium for this feature.
> what is that limit? from a single port? from a single linecard? from a
> chassis? how about we remove complexity here and just deal with this
> in the fastpath?
It would increase cost and complexity greatly. If I could get it for free, then
I would take it, but I have lot more important things I want router vendors fix
first. I do wish vendor would do is test box with attack vectors and implement
sane defaults (IOS-XR is relatively good in this respect, or maybe it just
looks that way as rest of them are really bad with their defaults).
Very recently I had chat with GSR owner who was happy how GSR/IOS is solid DDoS
resistant platform, while actually it is impossible to protect GSR/IOS (outside
iACL) as none of the protections (rACL/CoPP) are implemented in hardware. 7600
is reasonably good for its age in this matter.
But even modern examples, like MX80 completely fail with defaults. Killed MX80
in lab with bit over 5Mbps of IP options. Protection is quite easy but still
most people do not do it, so vendors really should ship boxes with saner
defaults.
--
++ytti
More information about the NANOG
mailing list