option 212 for 6RD
Tore Anderson
tore at fud.no
Fri Jan 18 12:14:35 CET 2013
* Ivan Pepelnjak
> Can 6rd BRs do MSS clamping in forwarding hardware? Matching the TCP
> SYN packets is easy, modifying them less so (and then there's the
> case of SYN packets already having MSS option).
I guess it would depend entirely on the hardware platform used...
It wouldn't necessarily have to be implemented on the 6RD BR though. It
could just as well be done on the BR's upstream router(s) instead, or
any other point the 6RD traffic transits. A quick Google seems to
suggest that at least some Cisco platforms support it, btw (no idea
which ones and whether it's done in hardware or not though):
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ft_admss.html
I can't recall having ever seen a TCP SYN packet without the MSS option.
So normally an implementation will only have to overwrite the existing
MSS value and recalculate the checksum.
I believe that if MSS isn't used by the host, the LAN MTU trick wouldn't
work either - at least not in the content->client direction, which is
where it matters the most.
> If the MSS clamping is done in software, we'd just open another
> avenue for DoS attacks.
Maybe, but I think I'd be more worried about that huge stateful CGN
beast in the neighbouring rack that shuffles 50 times more traffic than
the 6RD BR... ;-)
--
Tore Anderson
More information about the ipv6-ops
mailing list