nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms

From: Saku Ytti <saku () ytti fi>
Date: Fri, 8 Mar 2019 19:18:34 +0200
On Fri, Mar 8, 2019 at 7:07 PM Töma Gavrichenkov <ximaera () gmail com> wrote:


It's been a while since then, and maybe there was a mistake on our
side (at least within a perfectly academic context I must assume that
there was, as there was no peer review — we were not in academy after
all!), but I'm still inclined to, first, see the benchmarks of any
proposed piece of hardware that's promising you ECMP with flow labels,
second, make any statements about the latter.


1) current implementation
- set offset byte to 8
- read 128 bits to memory1
- read 128 bits to memory2
- return hash_function(memory1, memory2)

This is _JUST_ for L3 keys, in reality customers want L4 keys too, so
it's more expensive. Particularly in IPv6 the L4 keys could be
_anywhere_ potentially gigabytes in future, for same reasons in IPv6
you can bypass ACL filters in many cases, because the HW device won't
know what the L4 keys are.

2) flow label implementation
 - set offset to 12 bits
 - read 20 bits to memory1
 - return memory1

Seems cheaper to me. But still not a good solution, as it is AFI
specific and requires us to actually use the flow label consistently,
which is not universally true. ECMP on embedded ICMP actually would
work without any changes anywhere else but the device calculating the
hash.

-- 
  ++ytti
Previous By Date Next
Previous By Thread Next

Current thread: