[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Too bigs are sacred, was: Re: IPv6 addressing for core network



Iljitsch van Beijnum wrote:
> On 10 feb 2011, at 0:26, David Freedman wrote:
> 
>>> Unless every packet you emit is ? the minimum MTU (1280), then, you need
>>> to be able to receive TOOBIG messages.
> 
>> Can you think of a packet type I will emit from my publically numbered
>> backbone interface which may solicit a TOOBIG that I'll have to care about?
> 
> What if you're trying to connect to your routers with 1500-byte+ POS, ATM, ethernet jumbo or what have you interfaces from some system with a big fat jumboframe MTU but some 100 Mbps ethernet firewall or office network in the middle?
> 
> If you're willing to accept TCP or UDP from somewhere, it's a bad idea to filter ICMP coming in from that same place.
> 

I think the point I'm making is, that I'm not, I wont accept any traffic
to these backbone interfaces from outside the AS, this means no
management sessions from outside the network! (and in the rare,
emergency cases where something does need to get in from the outside,
policy may dictate acl hole-punching to support it)

In the case of people having an unreachable core (i.e MPLS
hidden or RFC1918/ULA/LinkLocal), this happens already, if they decide
to expose this somehow (MPLS TTL propagation, and/or allowing the ICMP
out) then it is only to assist troubleshooting (not that I accept
RFC1918/ULA sourced traffic from such networks at my edge , anyway),

these people are doing this by design, I think thats the point I'm
trying to get across, if you will never need to process TOOBIG in your
design, there is no need to accept it.


-- 


David Freedman
Group Network Engineering
Claranet Group