Re: Checks for amplification attack

On Mon, 4 Jun 2007, Vishwas Manral wrote:
>>  By 'goes through', do you also intermediate routers which are do not
>>  need to process the routing header in any way (i.e.: are never in
>>  "Destination Address" field of the routing header)?
>>
>>  If yes, this would require punting packets from hardware forwarding to
>>  the control processor which is IMHO a non-starter.
>
> Having a background on ASIC design for packet forwarding, I believe
> that is exactly what is done for packets that need to be processed in
> some exceptional behavior. Its a very very normal case. The other case
> is to process the packets in the embedded processors, using some
> firmware.
>
> Can you explain why the above design is a non-starter?

As an operator, I do not wish to buy routers that are DoS'able or 
whose control processor CPU resources can be wasted on inspecting 
transiting traffic. "Punting packets to the slow path" is one primary 
thing that a high-speed router should not have to do.  I think I'm not 
alone in the operator field with this sentiment.

Oh yeah, hop-by-hop extension header should be retired as well 

--

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6 <at> ietf.org
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------