Hello, Donald, We had this preso in the IPv6 Hackers (http://www.ipv6hackers.org/) meeting in Berlin, 6 years ago:
* slides: http://www.ipv6hackers.org/meetings/ipv6-hackers-1/zack-ipv6hackers1-firewall-security-assessment-and-benchmarking.pdf * video: http://www.youtube.com/watch?v=umva0BxaXfM Thanks, Fernando On 6/12/18 14:59, Smith, Donald wrote: > Perhaps we should push for some research to evaluate the actual impact? > > This is the only study I know that did something like that. It was limited to > a single router and is 2 years or so old. > > > http://www.macrothink.org/journal/index.php/npa/article/viewFile/10190/8493 > > "The maximum traffic rate was reached > with packets of 1518 Bytes and IPv4 protocol, and it decreases with the use > of IPv6 protocol. > The router reaches higher performance when work with IPv4 traffic. The CPU > usage > increases with the increase of IPv6 traffic. The use of ACL in IPv4 traffic > the CPU usage rises > from 6.5% without ACL to 15% with ACL (8.5%) while for IPv6 goes from 67.5% > to 82.5%, > 15%, the double. The maximum traffic rate falls 1.54 Mbps by the use of ACL > in IPv4 and > 27.14 Mbps in IPv6. With IPv4 the router is able to support bidirectional > traffic without > decrease the maximum traffic rate, compared with unidirectional traffic. But > for IPv6 in > bidirectional traffic the maximum traffic rate is lower than for > unidirectional traffic in the > same conditions. The use of REH in the traffic supposes an increment of the > CPU usage; this > increment depends on the packets per second of the data flow. " > > > if (initial_ttl!=255) then (rfc5082_compliant==0) > [email protected] > > ________________________________________ > From: OPSEC [[email protected]] on behalf of Gert Doering > [[email protected]] > Sent: Monday, November 26, 2018 12:57 AM > To: Joe Touch > Cc: ietf; [email protected]; Nick Hilliard; > OPSEC; Christian Huitema; tsv-art; Brian E Carpenter > Subject: Re: [OPSEC] [Tsv-art] Tsvart last call review of > draft-ietf-opsec-ipv6-eh-filtering-06 > > Hi, > > On Sun, Nov 25, 2018 at 09:16:23PM -0800, Joe Touch wrote: >> I.e., most of the analysis in this document is flat out incorrect in >> assuming that merely because a packet could cause a router to do work that >> it is a security risk to handle that packet as intended. > > And then IETF wonders why operators do not feel like time spent on > providing their input to IETF WGs is well-spent. > > What else can it be, on a real-world device, in today's Internet? > > Gert Doering > -- Operator > -- > have you enabled IPv6 on something today...? > > SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer > Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann > D-80807 Muenchen HRB: 136055 (AG Muenchen) > Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 > > _______________________________________________ > OPSEC mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/opsec > This communication is the property of CenturyLink and may contain > confidential or privileged information. Unauthorized use of this > communication is strictly prohibited and may be unlawful. If you have > received this communication in error, please immediately notify the sender by > reply e-mail and destroy all copies of the communication and any attachments. > > > -- Fernando Gont SI6 Networks e-mail: [email protected] PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
