[c-nsp] IP Options Drop

Phil Mayers p.mayers at imperial.ac.uk
Mon Apr 21 14:22:20 EDT 2014


On 21/04/2014 17:26, Saku Ytti wrote:
> On (2014-04-21 17:09 +0100), Phil Mayers wrote:
>
>> Can you expand on this? Currently you can either do "platform rate-limit"
>> for IP options or disable the RL and use the built-in / magic CPP class-map:
>
> As ACL match work, you could do it in iACL and then you're only left with own
> customers attacking you.
> Mind you, I don't run PFC4. But amongst things I'm missing in PFC3 ACL
> classification are packet size and IP options, both should be available in
> PFC4.

Seems so; I had assumed options ACL match was still absent because it 
had a platform RL/CPP match, but a test on our box says:

#sh ip access-list TEST
Extended IP access list TEST
     10 deny ip any any option any-options
     20 deny ip any any pak-len lt 128 (117 matches)
     30 permit ip any any

#sh platform hardware acl entry interface vlNNN security in ip
...
tcam:B, bank:0, prot:0    Aces

L3_Deny               ip any 224.0.0.0 15.255.255.255 L3_len lt 128
L3_Deny               ip any 224.0.0.0 15.255.255.255 v6_flags(0,0)
Permit                ip any 224.0.0.0 15.255.255.255
L3_Deny               ip any any L3_len lt 128   (53 matches)
L3_Deny               ip any any v6_flags(0,0)
Permit                ip any any

...and the "len" match certainly works, just tested. Assume the v6_flags 
thing is just an internal / field re-use detail, though I didn't have 
any easy way to test IP options.

That said, the ACL merge logic seems a bit sub-optimal currently on this 
release - the thing with duplicate copies of ACEs for 224.0.0.0/4 and 
longer routes versus everything else, even with the same outcome, seems 
to be pretty consistent. Wonder if they'll optimise that?

I will refrain from ranting on the pain of *managing* ACLs on IOS-based 
platforms however ;o)


More information about the cisco-nsp mailing list