MTU handling in 6RD deployments
swmike at swm.pp.se
Fri Jan 17 18:06:55 CET 2014
On Fri, 17 Jan 2014, Templin, Fred L wrote:
> But, if the BR doesn't examine the packet it could get caught up in a
> flood-ping initiated by a malicious CE.
The BR should have enough dataplane forwarding capacity to handle this.
> I am considering a specific ping rather than an ordinary data packet as
> a way for the BR to know whether the CE is testing the MTU vs whether it
> is just looping back packets. If the BR knows the CE is testing the MTU,
> it can send ping replies subject to rate limiting so a malicious CE
> can't swamp the BR with excessive pings.
Why does it need to know? The CE is pinging itself CE->BR->CE, and if the
CE doesn't receive the packet back then the MTU is obviously limited.
So the CE sends out a packet towards the BR, with the IPv6 address being
the CE itself. So the packet arrives at the BR, gets decapsulated, does
IPv6 dst address lookup, gets encapsulated, and then sent onto the CE.
Pure data plane.
I don't get why the BR should need to get involved in anything more
complicated than that?
Mikael Abrahamsson email: swmike at swm.pp.se
More information about the ipv6-ops