Date created: Monday, September 9, 2024 10:42:33 AM. Last modified: Monday, September 9, 2024 11:54:31 AM
Traffic Policy Match Statements
References
https://en.wikipedia.org/wiki/IPv6_packet#Fixed_header
https://en.wikipedia.org/wiki/List_of_IP_protocol_numbers
https://en.wikipedia.org/wiki/IPv6_packet#Hop-by-hop_options_and_destination_options
TLDR;
All of the results can be explained with the following logic:
A logical "OR" is applied to multiple match statements of the same type "protocol icmpv6 or protocol 0".
A logical "ADD" is applied between matching types e.g, protocol is specified "protocol icmpv6 or protocol 0" AND "location nht value 0x3a00 mask 0xff00".
Logical AND vs Logical OR
A traffic policy can contain multiple match statements, in the example below a match statement matches all ICMPv6 traffic, the other two match statements match all other L3 traffic:
traffic-policy ICMPV6 match ICMPV6 ipv6 protocol icmpv6 type all code all ! actions drop ! match ipv4-all-default ipv4 ! match ipv6-all-default ipv6
Within a match statement though multiple terms may be specified.
As an example scenario, let's look at blocking IPv6 MLDv2 messages. This are ICMPv6 messages (type 130, 131, 132, and 143) with an IPv6 hop-by-hop extension header (HBH-EH).
The following config has the listed effects:
- This blocks MLD v2 queries without a hop-by-hop header
- This doesn't block MLD v2 query with hop-by-hop header
traffic-policy MLD_V6 match MLD_V6 ipv6 protocol icmpv6 type 130-132, 143 code all ! actions drop ! match ipv4-all-default ipv4 ! match ipv6-all-default ipv6
This is because "protocol icmpv6" is matching the next header value in the outer most packet header, which has a next header type of 0 if the HBH-EH is present.
As expected then, the following blocks any packet with a HBH-EH:
traffic-policy MLD_V6 match MLD_V6 ipv6 protocol 0 ! actions drop ! match ipv4-all-default ipv4 ! match ipv6-all-default ipv6
When multiple statements of the same type ("protocol") are present, logical OR is applied. The following config has the listed effects:
- This blocks MLD v2 queries without a hop-by-hop header
- This blocks MLD v2 queries with a hop-by-hop header
- This actually blocks any traffic with a hop-by-hop header!
traffic-policy MLD_V6 match MLD_V6 ipv6 protocol icmpv6 type 130-132, 143 code all protocol 0 ! actions drop ! match ipv4-all-default ipv4 ! match ipv6-all-default ipv6
The above is checking if the next protocol value is 0 OR ICMPv6 (and only if ICMPv6 does it check the type/code).
When statements of different types are present ("protocol" and "location") a logical AND is applied:
hardware tcam profile test feature traffic-policy port ipv6 key field ipv6-next-header udf-16b-1 udf-16b-2 #show diff --- +++ @@ -72,7 +72,7 @@ feature traffic-policy port ipv6 port qualifier size 7 bits - key field dst-ipv6-label hop-limit icmp-type-code ipv6-length ipv6-next-header ipv6-traffic-class l4-dst-port l4-src-port src-ipv6-label tcp-control + key field dst-ipv6-label hop-limit icmp-type-code ipv6-length ipv6-next-header ipv6-traffic-class l4-dst-port l4-src-port src-ipv6-label tcp-control udf-16b-1 udf-16b-2 action count drop set-dscp set-tc set-unshared-policer packet ipv6 forwarding bridged packet ipv6 forwarding routed exit exit traffic-policies location nht ip-header-start offset 40 bytes length 16 bits traffic-policy MLD_V6 match MLD_V6 ipv6 protocol icmpv6 type 130-132, 143 code all location nht value 0x3a00 mask 0xff00 ! actions drop ! match ipv4-all-default ipv4 ! match ipv6-all-default ipv6
Above a custom header location is defined, which reads the next header value of the HBH-EH and checks if it is 0x3a (58 in base 10) which is ICMPv6. This is logical AND'ed with the "protocol" statement however the protocol statement looks at the outer most packet header which has a next protocol value of 0 for the EH. Therefore this policy also does not work.
The "protocol" statement could be replacement with another "location" statement which looks at where the ICMPv6 type value would be if a HBH-EH is present, but this would result in two "location" statements and statements of the same type are OR'ed and not AND'ed.
Therefore, this example of filtering MLDv6 requests, is not possible.
Previous page: Base IPv6 IS-IS SR-MPLS Topology
Next page: 7280R3 Jericho2 ASIC Drops