Date created: Monday, September 9, 2024 10:42:33 AM. Last modified: Monday, September 9, 2024 11:54:31 AM

Traffic Policy Match Statements

References

https://en.wikipedia.org/wiki/IPv6_packet#Fixed_header
https://en.wikipedia.org/wiki/List_of_IP_protocol_numbers
https://en.wikipedia.org/wiki/IPv6_packet#Hop-by-hop_options_and_destination_options


TLDR;

All of the results can be explained with the following logic:

A logical "OR" is applied to multiple match statements of the same type "protocol icmpv6 or protocol 0".

A logical "ADD" is applied between matching types e.g, protocol is specified "protocol icmpv6 or protocol 0" AND "location nht value 0x3a00 mask 0xff00".

 

Logical AND vs Logical OR

A traffic policy can contain multiple match statements, in the example below a match statement matches all ICMPv6 traffic, the other two match statements match all other L3 traffic:

traffic-policy ICMPV6
      match ICMPV6 ipv6
         protocol icmpv6 type all code all
           !
         actions
            drop
      !
      match ipv4-all-default ipv4
      !
      match ipv6-all-default ipv6

 

Within a match statement though multiple terms may be specified.

As an example scenario, let's look at blocking IPv6 MLDv2 messages. This are ICMPv6 messages (type 130, 131, 132, and 143) with an IPv6 hop-by-hop extension header (HBH-EH).

The following config has the listed effects:

  • This blocks MLD v2 queries without a hop-by-hop header
  • This doesn't block MLD v2 query with hop-by-hop header
traffic-policy MLD_V6
      match MLD_V6 ipv6
         protocol icmpv6 type 130-132, 143 code all
           !
         actions
            drop
      !
      match ipv4-all-default ipv4
      !
      match ipv6-all-default ipv6

This is because "protocol icmpv6" is matching the next header value in the outer most packet header, which has a next header type of 0 if the HBH-EH is present.

As expected then, the following blocks any packet with a HBH-EH:

traffic-policy MLD_V6
      match MLD_V6 ipv6
         protocol 0
           !
         actions
            drop
      !
      match ipv4-all-default ipv4
      !
      match ipv6-all-default ipv6

 

When multiple statements of the same type ("protocol") are present, logical OR is applied. The following config has the listed effects:

  • This blocks MLD v2 queries without a hop-by-hop header
  • This blocks MLD v2 queries with a hop-by-hop header
  • This actually blocks any traffic with a hop-by-hop header!
traffic-policy MLD_V6
      match MLD_V6 ipv6
         protocol icmpv6 type 130-132, 143 code all
         protocol 0
           !
         actions
            drop
      !
      match ipv4-all-default ipv4
      !
      match ipv6-all-default ipv6

The above is checking if the next protocol value is 0 OR ICMPv6 (and only if ICMPv6 does it check the type/code).

 

When statements of different types are present ("protocol" and "location") a logical AND is applied:

hardware tcam
   profile test
      feature traffic-policy port ipv6
         key field ipv6-next-header udf-16b-1 udf-16b-2

#show diff 
--- 
+++ 
@@ -72,7 +72,7 @@
       feature traffic-policy port ipv6
          port qualifier size 7 bits
-         key field dst-ipv6-label hop-limit icmp-type-code ipv6-length ipv6-next-header ipv6-traffic-class l4-dst-port l4-src-port src-ipv6-label tcp-control
+         key field dst-ipv6-label hop-limit icmp-type-code ipv6-length ipv6-next-header ipv6-traffic-class l4-dst-port l4-src-port src-ipv6-label tcp-control udf-16b-1 udf-16b-2
          action count drop set-dscp set-tc set-unshared-policer
          packet ipv6 forwarding bridged
          packet ipv6 forwarding routed

         exit
      exit


traffic-policies

   location nht ip-header-start offset 40 bytes length 16 bits

   traffic-policy MLD_V6
      match MLD_V6 ipv6
         protocol icmpv6 type 130-132, 143 code all
         location nht value 0x3a00 mask 0xff00
         !
         actions
            drop
      !
      match ipv4-all-default ipv4
      !
      match ipv6-all-default ipv6

Above a custom header location is defined, which reads the next header value of the HBH-EH and checks if it is 0x3a (58 in base 10) which is ICMPv6. This is logical AND'ed with the "protocol" statement however the protocol statement looks at the outer most packet header which has a next protocol value of 0 for the EH. Therefore this policy also does not work.

The "protocol" statement could be replacement with another "location" statement which looks at where the ICMPv6 type value would be if a HBH-EH is present, but this would result in two "location" statements and statements of the same type are OR'ed and not AND'ed.

Therefore, this example of filtering MLDv6 requests, is not possible.

 


^ Top

Previous page: Base IPv6 IS-IS SR-MPLS Topology
Next page: 7280R3 - Jericho2 ASIC Drops