ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms

Saku Ytti saku at ytti.fi
Fri Mar 8 16:48:48 UTC 2019


On Fri, Mar 8, 2019 at 5:44 PM Töma Gavrichenkov <ximaera at gmail.com> wrote:

> My point is that it might be hard to find an affordable device that
> implements ECMP with v6 flow labels without a considerable performance
> impact. I would personally happy to see what others have tested in
> that regard.

Why do you think it would be expensive? It's  cheaper than how ECMP is
done for L3 keys, because you just read the flow label and not
calculate any hash. Much much cheaper than how ECMP is done for L3+L4
keys, if that is done right, which it is not, because no device
implements IPv6 correctly, as it's not possible in reasonably
performing hardware, but this has nothing to do with ECMP.
But in any case, flow labels is not the right solution here, this is
not IPv6 problem, this is IP problem. The right solution is to look at
L3+L4 inside the embedded ICMP packet, as that solves the problem for
both AFIs. This at most costs one branch (negligible in typical NPU),
as you set different static offset based on if you're parsing ICMP or
not. In all likelyhood it costs nothing, as the code likely already
contains branch for ICMP where you can just reset the ECMP offset.

I still fail to understand why you think this particular problem has
anything to do attacks or ICMP volume, I find no such indications, and
the two cloudflare blog articles do not state attacks as motivators to
this, it's just technical problem at delivering the ICMP packets to
correct host. A real problem affecting other networks too, but a
problem we can fix, if we start asking our vendors for a fix.





-- 
  ++ytti



More information about the NANOG mailing list