On (2011-09-30 10:45 -0400), Christopher Morrow wrote:
after this long, yes... this is just dumb, there's no reason that the default should be punt. There are cases (you've brought up a few) where it's required today because of design limitations, there really shouldn't be cases like this anymore. this isn't our first rodeo, 'lessons learned' and all that...
Certainly possible, but will you pay the premium? I won't. To implement IPv6 according to standard your lookup engine needs to have MTU wide view, so up-to 65kB. Most common view today probably is 64B and highest I know 256B. And for the corner cases where this isn't enough, I'm happy to handle it in software, rather than pay premium to do it all in hardware.
traceroute could certainly be handled in the fastpath.
Yup. But again who would pay for this? I cannot be dossed by TTL exceeds as there is sufficient protetion mechanism in my hardware. So I would not pay premium for this feature.
what is that limit? from a single port? from a single linecard? from a chassis? how about we remove complexity here and just deal with this in the fastpath?
It would increase cost and complexity greatly. If I could get it for free, then I would take it, but I have lot more important things I want router vendors fix first. I do wish vendor would do is test box with attack vectors and implement sane defaults (IOS-XR is relatively good in this respect, or maybe it just looks that way as rest of them are really bad with their defaults). Very recently I had chat with GSR owner who was happy how GSR/IOS is solid DDoS resistant platform, while actually it is impossible to protect GSR/IOS (outside iACL) as none of the protections (rACL/CoPP) are implemented in hardware. 7600 is reasonably good for its age in this matter. But even modern examples, like MX80 completely fail with defaults. Killed MX80 in lab with bit over 5Mbps of IP options. Protection is quite easy but still most people do not do it, so vendors really should ship boxes with saner defaults. -- ++ytti