nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms

From: Saku Ytti <saku () ytti fi>
Date: Fri, 8 Mar 2019 18:48:48 +0200
On Fri, Mar 8, 2019 at 5:44 PM Töma Gavrichenkov <ximaera () gmail com> wrote:


My point is that it might be hard to find an affordable device that
implements ECMP with v6 flow labels without a considerable performance
impact. I would personally happy to see what others have tested in
that regard.


Why do you think it would be expensive? It's  cheaper than how ECMP is
done for L3 keys, because you just read the flow label and not
calculate any hash. Much much cheaper than how ECMP is done for L3+L4
keys, if that is done right, which it is not, because no device
implements IPv6 correctly, as it's not possible in reasonably
performing hardware, but this has nothing to do with ECMP.
But in any case, flow labels is not the right solution here, this is
not IPv6 problem, this is IP problem. The right solution is to look at
L3+L4 inside the embedded ICMP packet, as that solves the problem for
both AFIs. This at most costs one branch (negligible in typical NPU),
as you set different static offset based on if you're parsing ICMP or
not. In all likelyhood it costs nothing, as the code likely already
contains branch for ICMP where you can just reset the ECMP offset.

I still fail to understand why you think this particular problem has
anything to do attacks or ICMP volume, I find no such indications, and
the two cloudflare blog articles do not state attacks as motivators to
this, it's just technical problem at delivering the ICMP packets to
correct host. A real problem affecting other networks too, but a
problem we can fix, if we start asking our vendors for a fix.





-- 
  ++ytti
Previous By Date Next
Previous By Thread Next

Current thread: