Subject: Re: Summer of Code: Policy routing / Implement IPv6 ipflow_fastforward
To: David Young <dyoung@pobox.com>
From: Jonathan Stone <jonathan@dsg.stanford.edu>
List: tech-net
Date: 06/14/2005 12:22:19
In message <20050614175233.GW20530@che.ojctech.com>,
David Young writes:


>IMO, these are the bare minimum fields we must be able to route by:
>
>        * ToS field
>        * protocol/port number
>        * packet length
>        * packet labels (tokens attached to a packet by IPFilter, pf,
>          or the input interface---e.g., m_pkthdr.rcvif)
>
>A good solution should be easily extensible.  And fast.  A big question in
>my mind is, "what is the architecture of fast, extensible policy routing?"
>How is this (not) accomplished in other systems?

Because a "full" solution requires running a packet classifier -- a
packet filter -- over *every* inbound or outbound packet.  That's
inherently slow.

There's considerable research into both more efficient algoriths
(check one of several SIGCOMM papers by, for example, George Varghese)
and more efficient implementations (such as the SIGCOMM 95 paper by
Dawson Engler examining dynamic machine-code generation from
packetfilter specifications). If you're not already familiar with that
body of work, then that's a *big* flag that you're not qualfiied to
comment or oversee the project you suggest above.

That said, I'm pretty sure Linux has had route lookup based on
IP-header (src, dst) addresses avaiable for years, tho I can't comment
on the performance characteristics of actually _using_ it.

I'd strongly suggest that any attempt at policy-based routing be
either sufficiently fast to handle hundreds of thousands of packets
per second with minimal overhaed; or be configurable into a mode where
performance is acceptable; or be roff by default.