We all know middleboxes are the bane of the Internet, so in this talk, we’ll use BPF to find an obscure violation of the IPv6 Flow Label specification!
In 2018 APNIC published a blog post that warns against using the IPv6 flow label in load balancers, citing anecdotal evidence that some middleboxes violate the RFC behaviour. Instead of keeping the flow label constant, they change it between the first SYN packet and the next ACK.
Since we’re working on a load balancer at Cloudflare, figuring out just how prevalent this problem is, has always been tantalizing. With our global presence we’re in a great position to see weird traffic, but actually running the experiment would have required source code changes to some of our most critical infrastructure. Not something we are willing to do just to satisfy our curiosity.
Luckily, we can now use kprobes and the new pidfd_getfd syscall to get the data we need without any scary changes! In this session, we will show you how.
![](https://i.ytimg.com/vi/PEzB7av1Qss/maxresdefault.jpg)