On Fri, Mar 8, 2019 at 5:44 PM Töma Gavrichenkov <ximaera@gmail.com> wrote:
My point is that it might be hard to find an affordable device that implements ECMP with v6 flow labels without a considerable performance impact. I would personally happy to see what others have tested in that regard.
Why do you think it would be expensive? It's cheaper than how ECMP is done for L3 keys, because you just read the flow label and not calculate any hash. Much much cheaper than how ECMP is done for L3+L4 keys, if that is done right, which it is not, because no device implements IPv6 correctly, as it's not possible in reasonably performing hardware, but this has nothing to do with ECMP. But in any case, flow labels is not the right solution here, this is not IPv6 problem, this is IP problem. The right solution is to look at L3+L4 inside the embedded ICMP packet, as that solves the problem for both AFIs. This at most costs one branch (negligible in typical NPU), as you set different static offset based on if you're parsing ICMP or not. In all likelyhood it costs nothing, as the code likely already contains branch for ICMP where you can just reset the ECMP offset. I still fail to understand why you think this particular problem has anything to do attacks or ICMP volume, I find no such indications, and the two cloudflare blog articles do not state attacks as motivators to this, it's just technical problem at delivering the ICMP packets to correct host. A real problem affecting other networks too, but a problem we can fix, if we start asking our vendors for a fix. -- ++ytti