RARE user and assistance email list

["mc36" <>]

-------- Forwarded Message --------
Subject: Re: additional lib needed for builds
Date: Wed, 6 Jul 2022 08:27:31 +0200
From: mc36 <>
Reply-To: 
To: 



On 7/4/22 13:09, mc36 wrote:
> it's the expected yess... normally freerouter will never ever fragment...
> regardless what you do... it's what the barefoot asic (the primary target for 
> now)
> can do, becasue it's cut-through as most of the dc-optimized asics are...
> (but in cut through, as you dont have the whole packet, just the headers,
> so you cant do anything with the payload, only with the headers...)
> if you want fragmentataion, you can enable it, ipv4/6 fragment 1024
> and to receive them, ipv4/6 reassem 16... but please dont... simply
> because it'll ruin performance, and above a certain speed, nobody
> will be able to cope with the fragments in scale... we're pilotingg
> with an lns taking 4k l2tps, each having a labeled bgp session:
> from http://www.freertr.org/present.html, https://files.fm/f/pmawytcjx
> it have a single n+100g uplink interface, but each 4k l2tp represents
> an intermediate school in hungary, connected to a foreign carrier...
> now think about the reasm buffer requirement if we went the frag/reasm way?
well, there is an other thing, the intermediate boxes,
like routers along the path the packets take...

-in case of user facing (non-bgp) interfaces, you must ipv4/6 verify source,
-and usually tcp.port==25, plus the infra...
infra acl, which applies on all the interfaces:
-you deny ip.src==ownranges/16 (except the rented/24s if any...)
-you deny ip.trg==ownranges/16 && (tcp.src/trg==179/646/23/22/etc || 
ip.proto==ospf/rsvp)
and that's the point, you likely filter on layer4 on the edges,
which is impossible on fragments (*) among the path without virtual
reassembly, but at these speeds, there is no such a thing...
and even more impossible to do so in the fastpath... in case of ipv6,
it involves offsetting by a tlv alike structure travelsal to have the
layer4 headers, which is also impossible in asics... not surprisingly
these kinds of packets rarely goes through a carrier...

*: the 1st fragment not necessarily have the full layer4 header
*: the 2nd+ fragments don't have the layer4 header
*: the 2nd+ fragments can overlap with the 1st, overwriting the port, so it's 
really unsafe to allow them in
*: so as soon as you enable layer4 filtering, you have to reassemble all the 
fragments to have a safe implementation

br,
cs


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#369): https://groups.io/g/freertr/message/369
Mute This Topic: https://groups.io/mt/92201562/6413194
Group Owner: 
Unsubscribe: https://groups.io/g/freertr/unsub []
-=-=-=-=-=-=-=-=-=-=-=-