[e2e] It's all my fault
avg at kotovnik.com
Tue May 15 03:44:43 PDT 2007
"I need source routing" is an euphemism for "my TE sucks".
The fundamental problem with SR is that endpoints do not have information
about network topology necessary for making intelligent path choices. It
is as simple as that.
If you really want end hosts (and not gateways which actually know which
trunks are up and which are down and what the preferences are because they
do the little pesky things like ISIS, OSPF and BGP) to control which path
is taken, use the gawd-given TOS field to mark the packets. And add some
rules to the gateway route maps. This way you can have both path
selection *and* ability to route around failures.
I never ever in my long career as a backbone engineer had any legitimate
need to use SR options. As a network hardware and software designer I
spent quite a few of my grey cells trying to figure how to handle the damn
options fast enough in silicon so as to prevent script kiddies from
DDOSing the boxes to death.
So, here we are - having a lot of crud (which, by the way, most vendors
get wrong, which never seems to bother anyone because nobody actually uses
it) in the fast path because somebody somewhere thought that source
routing is a neat trick.
Oh. And SR is not really a security problem simply because the first thing
most real firewalls do is dropping all packets with these IP options.
Simply put, SR is a Bad Idea. Just like not preserving port numbers in
fragments, or doing ARP instead of simply programming NICs to map IP
addresses to low-order bytes of MAC addresses. For a host stack designer
these are mere annoyances (though if I had a buck every time I saw a buggy
ARP implementation... heh), but working around these little cute design
"features" at 10G makes life truly miserable.
Keep It Simple.
More information about the end2end-interest