[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: About dest MAC@

To: ip-dvb@erg.abdn.ac.uk
Subject: Re: About dest MAC@
From: Dr G Fairhurst <gorry@erg.abdn.ac.uk>
Date: Thu, 31 Jul 2003 13:42:58 +0100
Organization: ERG, Aberdeen, UK
References: <>
Reply-to: ip-dvb@erg.abdn.ac.uk
Sender: owner-ip-dvb@erg.abdn.ac.uk

alain.ritoux@6wind.com wrote:
> 
> Still some thoughts about filtering and the need of MAC@:
> 
> - If the IRD is a Host, indeed MAC filtering is not needed (it may of
> course improve the receiver capacities), 

It does have the advantage of placing a field in a well known position,
which can be used by a variety of protocols types. This in itself does
not imply *faster* processing.

We also need to weigh the placement of the MAC address(es), and the fact 
that making it optional can incur extra processing cost.

> but IP level filtering is enough

OK.

> - If the IRD is itself a router, there is still the case (that may be
> of (most?) common usage ??) that the network behind it is a
> leaf-network, and by no mean a transit network. 

OK, so specifically you mean a leaf network where routing protocols are 
not used to determine forwarding to the "leaf" network. One example is a 
network with one external receive interface (via the MPEG-2 port).

That is, theer are no alternative delivery paths, and therefore no 
reachability via other routers that may also receive the packet. Specifically
you must also require all other routers to silently drop packets with
an unreachable network address. If you do all this, I agree - but
although this would work, it seems a "tweak", and I'm not sure the
latter 
is a robust recommendation (if one router returns an ICMP message to
the source, what happens??)

> In this case, the router
> acts as a CPE, and usually "knows" what is behind him, let's say
> my_site_prefix::/48. The firewall rule with something like
>    100 deny ipv6 from any to !my_site_prefix::/48 via dvb0 in
> will give the needed filering, without any MAC address needed.
> 

OK, and all other routers must REJECT (filter & silenetly discard)
packets with no MAC address and that do not match their own site prefix.

> or even a mechanism based on the redirect-conditions, I mean if this is
> a CPE, it will have a typical ::/0 route through the logical dvb
> interface (that can use SPCP, RCS, whatever mean for the return link),
> and a packet not addressed to a host present in the site will be
> naturally forwarded through the dvb interface, which is a potential case
> for a redirect (i.e. sam ingoing/outgoing interface).
> If the interface is configured with a feat such as :
>    - if the redirect conditions matches, then DROP packet silenly
> It will perform the same filtering as abiven but without the /48
> delegation stored into a firewal rule (sort of RPF check), which is even
> more cool.
> 
> Your thoughts ?

My thoughts are that we have some cases here that can use IP packets
without MAC addresses, providing:

(a) they can efficiently filter on IP level addresses

AND

(b) If they are routers they MUST also differentiate packets with
a MAC dest address from those without a MAC address, and MUST discard
packets with no MAC address that do not correspond to their own IP address
(or with all the rules above to the prefix used for hosts on a leaf IP network.)

> Regards.
> Alain.
> --
> Alain RITOUX
> Tel +33-1-39-30-92-32
> Fax +33-1-39-30-92-11
> visit our web http://www.6wind.com

Follow-Ups:
- Re: About dest MAC@
  - From: alain.ritoux@6wind.com

References:
- About dest MAC@
  - From: alain.ritoux@6wind.com

Prev by Date: IP-DVB BOF Minutes: 14th July, PM Session II: 15:30 - 17:30.
Next by Date: Re: About dest MAC@
Previous by thread: About dest MAC@
Next by thread: Re: About dest MAC@
Index(es):
- Date
- Thread