[e2e] It's all my fault
David P. Reed
dpreed at reed.com
Tue May 15 07:20:48 PDT 2007
If your view is that the Internet is designed to make 10G adapters run
fast, or that IP headers should be used within AS's as native
fiber-switch routing data instead of wrapping them with layer 2 headers
as any sensible designer would, you would be right.
God did not say that IP was the layer 2 routing protocol. In fact, the
Internet was designed to join *heterogeneous* networks at layer 3.
Lunatic microoptimizers have decided that they ought to try to eliminate
diversity and heterogeneity in the Internet. They somehow think that
God anointed the backbone to be in charge of the proper behavior of
their users. So ATT, so 1920's.
Vadim Antonov wrote:
> "I need source routing" is an euphemism for "my TE sucks".
> The fundamental problem with SR is that endpoints do not have information
> about network topology necessary for making intelligent path choices. It
> is as simple as that.
> If you really want end hosts (and not gateways which actually know which
> trunks are up and which are down and what the preferences are because they
> do the little pesky things like ISIS, OSPF and BGP) to control which path
> is taken, use the gawd-given TOS field to mark the packets. And add some
> rules to the gateway route maps. This way you can have both path
> selection *and* ability to route around failures.
> I never ever in my long career as a backbone engineer had any legitimate
> need to use SR options. As a network hardware and software designer I
> spent quite a few of my grey cells trying to figure how to handle the damn
> options fast enough in silicon so as to prevent script kiddies from
> DDOSing the boxes to death.
> So, here we are - having a lot of crud (which, by the way, most vendors
> get wrong, which never seems to bother anyone because nobody actually uses
> it) in the fast path because somebody somewhere thought that source
> routing is a neat trick.
> Oh. And SR is not really a security problem simply because the first thing
> most real firewalls do is dropping all packets with these IP options.
> Simply put, SR is a Bad Idea. Just like not preserving port numbers in
> fragments, or doing ARP instead of simply programming NICs to map IP
> addresses to low-order bytes of MAC addresses. For a host stack designer
> these are mere annoyances (though if I had a buck every time I saw a buggy
> ARP implementation... heh), but working around these little cute design
> "features" at 10G makes life truly miserable.
> Keep It Simple.
More information about the end2end-interest