ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms

Saku Ytti saku at ytti.fi
Tue Mar 12 11:53:46 UTC 2019


Hey Adam,

> We did this exact testing a while back on Juniper 2nd and 3rd gen PFEs.
> The results showed it doesn't matter a tiny bit whether you do 5-tuple hash or use flow label.
> So the bottom line is on modern NPUs it doesn't really matter.

Does PFE mean PE or Trio? What exactly did you test? I don't see way
to disable L3+L4 keys and enable flow_label.

Doing flow_label + sip + dip + sport + dport indeed would be pretty
almost same cost as sip + dip + spot + dport, the cost difference will
be very marginal.

Doing flow_label or sip+sip+sport+dport the cost difference is
non-marginal, if that actually is true for any specific implementation
is separate matter.

-- 
  ++ytti



More information about the NANOG mailing list