[c-nsp] no ipv6 source-route
Saku Ytti
saku+cisco-nsp at ytti.fi
Wed Apr 25 01:20:46 EDT 2007
On (2007-04-24 23:59 +0200), Gert Doering wrote:
> > Even if it would be supported, wouldn't it still mean that all packets
> > source-route packets reach MSFC. And while it would stop this feature
> > from working, it would still leave the DoS vector open?
>
> That's what we have hardware rate limiters for... :)
I don't believe PFC3 supports CoPP or IPv6 unicast mls rate-limiters. So
you'd end up having ACL in each interface, and I'm not sure if ACL's
have proper lookups either to handle this, and even if they do, you
probably would need to run in compressed address mode.
I doubt many are going to do that, except perhaps in AS borders.
--
++ytti
More information about the cisco-nsp
mailing list