MTU handling in 6RD deployments
Templin, Fred L
Fred.L.Templin at boeing.com
Fri Jan 17 17:25:49 CET 2014
Hi Mikael,
> -----Original Message-----
> From: Mikael Abrahamsson [mailto:swmike at swm.pp.se]
> Sent: Friday, January 17, 2014 8:16 AM
> To: Templin, Fred L
> Cc: Mark Townsley; ipv6-ops at lists.cluenet.de
> Subject: RE: MTU handling in 6RD deployments
>
> On Fri, 17 Jan 2014, Mikael Abrahamsson wrote:
>
> > On Fri, 17 Jan 2014, Templin, Fred L wrote:
> >
> >> Sorry, I was looking at the wrong section. I see now that Section 8 is
> >> talking about a method for a CE to send an ordinary data packet that loops
> >> back via the BR. That method is fine, but it is no more immune to someone
> >> abusing the mechanism than would be sending a ping (or some other NUD
> >> message). By using a ping, the BR can impose rate-limiting on its ping
> >> responses whereas with a looped-back data packet the BR really can't do
> >> rate limiting.
> >
> > You don't ping the BR, you ping yourself via the BR. The BR only forwards the
> > packet.
But, if the BR doesn't examine the packet it could get caught up
in a flood-ping initiated by a malicious CE.
> My bad, I didn't read your text properly. Why would the BR want to
> rate-limit data plane traffic?
I am considering a specific ping rather than an ordinary data packet
as a way for the BR to know whether the CE is testing the MTU vs
whether it is just looping back packets. If the BR knows the CE is
testing the MTU, it can send ping replies subject to rate limiting
so a malicious CE can't swamp the BR with excessive pings.
Thanks - Fred
fred.l.templin at boeing.com
> --
> Mikael Abrahamsson email: swmike at swm.pp.se
More information about the ipv6-ops
mailing list