(deleted address-policy-wg from the cc:) On 26 nov 2005, at 16.00, Florian Weimer wrote:
2. Drop the Flow Label and Next Header fields from the IPv6 header.
Next Header is required or how else do you know what follows the IPv6 header? Or do you only want to do TCP? What about UDP,SCTP and many other headers (for IPv6 in IPv6, IPv4 in IPv6, IPSEC etc).
IPv6 was designed for ACL-free software forwarding. This is not what we need today. Real routers must be able to access some layer 4 information.
A better header would do away with any layer 3 options or option replacement. It would consist of 7 64-bit words. The first word contains the IP protocol version number, a hop counter (not a TTL, because it can be spoofed), and a bidirectional next-layer protocol identifier (protocol number plus some optional data that is indepedent of the direction of the packet flow and constant for a given "connection"). You can include some bits for QoS if you want, but I'm not sure if this makes sense. This is the first word.
After that, the source and destination address follow (two words each). The remaining two remaining words are the next-layer source and destination address identifier (think port number, but you can put some additional cookie in there to make blind spoofing harder).
In order to create a reflexive ACL entry, a router would zap the header flags and the hop count (which are ignored during matching anyway) and swap the source and destination addresses. No more upgrades so that you can filter still-a-bit=obscure protocols such as SCTP.
Of course, a discussion about header layout is a bit pointless. But it is still a bit unfortunate that a protocol header explicitly designed for efficient forwarding does not come anywhere near that goal.
So AFAIK the state of the art routers does 40G line-rate deep-packet inspection with any pattern matching. So remind me again what the problem is? Price? Sure, that is a question of demand and volume production... When MPLS was new I remember being told by vendors that it was the only way we could forward IPv4 at 10G line-rate. Go figure. - kurtis -