[145165] in North American Network Operators' Group
Re: Cisco 7600 PFC3B(XL) and IPv6 packets with fragmentation
daemon@ATHENA.MIT.EDU (Mikael Abrahamsson)
Fri Sep 30 02:15:27 2011
Date: Fri, 30 Sep 2011 08:13:37 +0200 (CEST)
From: Mikael Abrahamsson <swmike@swm.pp.se>
To: Christopher Morrow <morrowc.lists@gmail.com>
In-Reply-To: <CAL9jLaY5yaxsKXu+A3ua3wBfQXxaKQqy1jt0usbe+vGW-AKE4g@mail.gmail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Fri, 30 Sep 2011, Christopher Morrow wrote:
> If you do nothing the default behavior is to send the packet to the
> RP... why? (why would you want this packet sent to the RP? it's got a
> valid destination, no? so deliver it out the egress interface?)
I was told it's because PFC3B can't look into the packet far enough to
determine what the payload is (TCP/UDP etc) and port, that's only the RP
that can do ACL handling of the packet.
So if you configure "forward", people can put a fragmentation header on
the packet and skip past your ACL.
--
Mikael Abrahamsson email: swmike@swm.pp.se
