MTU handling in 6RD deployments

Mikael Abrahamsson swmike at
Fri Jan 17 18:06:55 CET 2014

On Fri, 17 Jan 2014, Templin, Fred L wrote:

> But, if the BR doesn't examine the packet it could get caught up in a 
> flood-ping initiated by a malicious CE.

The BR should have enough dataplane forwarding capacity to handle this.

> I am considering a specific ping rather than an ordinary data packet as 
> a way for the BR to know whether the CE is testing the MTU vs whether it 
> is just looping back packets. If the BR knows the CE is testing the MTU, 
> it can send ping replies subject to rate limiting so a malicious CE 
> can't swamp the BR with excessive pings.

Why does it need to know? The CE is pinging itself CE->BR->CE, and if the 
CE doesn't receive the packet back then the MTU is obviously limited.

So the CE sends out a packet towards the BR, with the IPv6 address being 
the CE itself. So the packet arrives at the BR, gets decapsulated, does 
IPv6 dst address lookup, gets encapsulated, and then sent onto the CE. 
Pure data plane.

I don't get why the BR should need to get involved in anything more 
complicated than that?

Mikael Abrahamsson    email: swmike at

More information about the ipv6-ops mailing list