ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms

• Previous message (by thread): ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms
• Next message (by thread): ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Mar 8, 2019 at 7:07 PM Töma Gavrichenkov <ximaera at gmail.com> wrote:

> It's been a while since then, and maybe there was a mistake on our
> side (at least within a perfectly academic context I must assume that
> there was, as there was no peer review — we were not in academy after
> all!), but I'm still inclined to, first, see the benchmarks of any
> proposed piece of hardware that's promising you ECMP with flow labels,
> second, make any statements about the latter.

1) current implementation
- set offset byte to 8
- read 128 bits to memory1
- read 128 bits to memory2
- return hash_function(memory1, memory2)

This is _JUST_ for L3 keys, in reality customers want L4 keys too, so
it's more expensive. Particularly in IPv6 the L4 keys could be
_anywhere_ potentially gigabytes in future, for same reasons in IPv6
you can bypass ACL filters in many cases, because the HW device won't
know what the L4 keys are.

2) flow label implementation
 - set offset to 12 bits
 - read 20 bits to memory1
 - return memory1

Seems cheaper to me. But still not a good solution, as it is AFI
specific and requires us to actually use the flow label consistently,
which is not universally true. ECMP on embedded ICMP actually would
work without any changes anywhere else but the device calculating the
hash.

-- 
  ++ytti

• Previous message (by thread): ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms
• Next message (by thread): ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]