[j-nsp] ip(v6) options
Saku Ytti
saku at ytti.fi
Fri Jan 29 14:11:38 EST 2016
Hey,
> Isn’t there a requirement that packets with IP options needs to be punted to the CPU for processing (process switched) (on every hop)
> Although I'd be interested to know if it's the LC CPU or RE CPU handling these then.
Well not hard requirement, but no one in market needs IP options at
performance, so they're done in software in all platforms that I know
of. This isn't the debate, the debate is if or not they should hit lo0
filter.
> Also my understanding of RE filter is that it is passed down to all PFEs in the system -so what you filter there is dropped right at the ingress and only what you permit is then subject to the built in DDoS protection rate-limiters (Junos "static" version of LPTS in XR) before it ends up in CPU (wanted to say RE-CPU but now I'm not that sure, could be LC CPU possibly??? ).
Quite. lo0 filter when supported in HW is done at ingress HW, then
packet goes through ddos policer, then static NPU=>LC_CPU ratelimiter,
then RP.
> Do you mean the term "discard-TTL_1-unknown" i.e. "from ttl 1 then discard"?
No. I mena, what if packets with TTL exceeding were punted through lo0
filter, that would be broken, right? Because you don't want to allow
whole world in your loo0 filters.
So why would IP options be punted through lo0?
Even though they are handled by software, they are not subject to lo0 filtering.
> It looks like there's a built in mechanism that filters ingress packets with TTL1 that are not destined to the router - as those would not make out the egress interface because of TTL decremented to 0 anyway.
Yes. There used to be resolve policer, then there wasn't for 2 years
or so (when things were dangerously broken) after DDOS protection was
implemented, then it was reintroduced and things are fairly ok now.
> So it looks like instead of just the source IP and possibly some other fields the whole packet is actually passed up to the CPU (RE/LC) so that the CPU can generate Time Exceeded ICMP message. (if just necessary fields would have been listed in a msg sent to CPU there would be no need to mention packets with TTL1 in the RE filter)
> The rate at which these packets are punted to CPU is then subject to built-in DDoS protection.
Yes. But the packets are not subject to lo0. So why should IP options be?
--
++ytti
More information about the juniper-nsp
mailing list