From: Lorenzo Colitti [mailto:lore...@google.com] Sent: Tuesday, June 04, 2013 3:45 AM To: Vízdal Aleš Cc: Joel M. Halpern; Sheng Jiang; <v6...@ietf.org>; draft-jiang-v6ops-semantic-pre...@tools.ietf.org; ipv6@ietf.org Subject: Re: [v6ops] Could IPv6 address be more than locator?//draft-jiang-v6ops-semantic-prefix-03
On Mon, Jun 3, 2013 at 11:59 PM, Vízdal Aleš <ales.viz...@t-mobile.cz<mailto:ales.viz...@t-mobile.cz>> wrote: > If I am reading this correctly, in the end this is riven by the fact that > existing boxes > can easily filter on addresses (although it will take a lot of filters), but > can not apply > ACLs to DSCPs or extension headers? The current boxes can do both ACL filtering as well as DSCP mangling, but as mentioned earlier the DSCP bits cannot be trusted, so a markdown/re-marking is required potentially involving DPI. Maintaining ACLs is also time consuming. I don't understand what the difference is. Why can the addresses be trusted? Answer - because you drop packets if the host uses the wrong address. But all the space is routed to the user anyway, and the semantic bits only express semantics, right? Therefore you can't use routing or RPF to implement the drops, and you have to use an ACL. [ales] Let’s assume the SP is providing a prefix per service, so the host will be provided with multiple addresses from multiple prefixes (e.g. voice, iptv, Internet). If the host picks a wrong address with better QoS policy e.g. iptv to talk to the Internet it won’t work as this prefix shall be used to talk to iptv only, so there is no point in playing with prefixes on the host side. ACLs shall be installed to make sure that the service designated prefix can reach the respective service only by matching the semantic bits. Semantics shall not be limited to QoS only as it can define service, customer, vpn service, security level, location … so the ACLs can be simplified to match the semantics bits instead of matching exact src / dst and maintaining ‘sometimes’ long lists of these. So users with the same service profile can use the same ACLs. So if you have to use an ACL to do this anyway, then why can't you make the ACL drop packets if the host uses the wrong DSCP codepoint? That way you don't need to use extra address space. [ales] ACLs can be used to set/change the DSCP, but the semantics is not only about QoS/DSCP. Semantics can help to simply set the DSCP based on the semantic bits encoded in the address (src/dst) compared to matching src / dst / l4 ports or even employing DPI on a per subscriber basis.
-------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------