North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: ICMP rate limiting on EGRESS (Warning, operational content inside)
On Mon, Jan 17, 2000 at 04:35:58PM +0000, Alex Bligh wrote: > > Sean Donelan wrote: > > Or is this a case, if we had thought about it, we would have prohibited > > it at the start; but now its in the wild we don't know how to get it back > > in the barn. > > Mmmm... we got onto this argument by someone implying we wouldn't need > this sort of defensive technique (ICMP rate limiting on egress) > if source-spoofed weren't transmittable (or weren't widely transmittable). if we're getting into an argument, then just forget it. I would much rather see a proper discussion of the matter, with useful solutions. > I agree. However as you are demonstrating, whilst getting to this > utopia would be great, getting there will take a long time. I'm sure > we *might* also fix DoS attacks using some sort of interprovider MPLS > or like to provide QoS negotiation (and that'll also give you non-destination > based routing) .... and I bet that even if this could > be got to work, it would take even longer. the point I am trying to make is that ICMP rate limiting is duct-tape, and won't fix the problem long-term. rate-limiting at egress points is a good idea, will plug an immediate leak, make the exchanges safer, and help curb a growing problem, but it is not a long-term solution. we need to make a commitment and determine a correct course of action to get to the "utopia" in the long term. it is my fear that as we focus on installing stop-gaps one after the other, we will eventually break legitimate networking. if nobody is interested in working on things that will take a long time to implement, then we are already doomed to failure. > In the mean time, ICMP rate limiting is here now and deployable for > most people at these exchangepoints today. it is exactly this mode of thinking that prevents folks from focusing on good long-term engineering solutions. it's quick, easy, and fixes the problem until it breaks and we have to come up with yet another clever tape-on hack.
|