You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is assuming #470 gets merged in a version close to its current state.
This PR implements an IpList module in the dataplane crate, where we compute the matching IP address for a given IP address (based on source VNI + source or destination address). The way we do this is by computing, for each packet, the offset of the original address in the original list, accounting for all exclusion prefixes, and then by fetching the matching address at the same offset in the target list, again accounting for all relevant exclusion prefixes.
All of this computation happens at runtime and will slow down performance. Alternatives:
Unroll mappings in a 1-to-1 mappings table (one entry per possible address): not realistic, IPv6 could lead to up to 2^128 entries.
Turn the IpList struct into something like a LPM trie containing allowed prefixes only, in other words: precompute the list of possible prefixes, splitting the initial list to account for exclusion prefixes. For example: as: 1.0.0.0/16, not_as: 1.0.0.0/17 would become as: 1.0.128.0/17. One drawback is that a configuration such as as: 1.0.0.0/16, not_as: 1.0.0.0/24 would be changed into as: (1.0.128.0/17, 1.0.64.0/18, 1.0.32.0/19, 1.0.16.0/20, 1.0.8.0/21, 1.0.4.0/22, 1.0.2.0/23, 1.0.1.0/24), meaning a possible much larger memory footprint.
Other possibilities to explore?
The text was updated successfully, but these errors were encountered:
This is assuming #470 gets merged in a version close to its current state.
This PR implements an
IpListmodule in thedataplanecrate, where we compute the matching IP address for a given IP address (based on source VNI + source or destination address). The way we do this is by computing, for each packet, the offset of the original address in the original list, accounting for all exclusion prefixes, and then by fetching the matching address at the same offset in the target list, again accounting for all relevant exclusion prefixes.All of this computation happens at runtime and will slow down performance. Alternatives:
Unroll mappings in a 1-to-1 mappings table (one entry per possible address): not realistic, IPv6 could lead to up to 2^128 entries.
Turn the
IpListstruct into something like a LPM trie containing allowed prefixes only, in other words: precompute the list of possible prefixes, splitting the initial list to account for exclusion prefixes. For example:as: 1.0.0.0/16, not_as: 1.0.0.0/17would becomeas: 1.0.128.0/17. One drawback is that a configuration such asas: 1.0.0.0/16, not_as: 1.0.0.0/24would be changed intoas: (1.0.128.0/17, 1.0.64.0/18, 1.0.32.0/19, 1.0.16.0/20, 1.0.8.0/21, 1.0.4.0/22, 1.0.2.0/23, 1.0.1.0/24), meaning a possible much larger memory footprint.Other possibilities to explore?
The text was updated successfully, but these errors were encountered: