|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: GLBX ICMP rate limiting (was RE: Tier-1 without their own backbone?)
On Thu, Aug 28, 2003 at 01:23:40PM +0100, [email protected] wrote: > > On Wed, 27 Aug 2003, [email protected] wrote: > > > We have a similarly sized connection to MFN/AboveNet, which I won't > > recommend at this time due to some very questionable null routing they're > > doing (propogating routes to destinations, then bitbucketing traffic sent > > to them) which is causing complaints from some of our customers and > > forcing us to make routing adjustments as the customers notice > > MFN/AboveNet has broken our connectivity to these destinations. > > We've noticed that one of our upstreams (Global Crossing) has introduced > ICMP rate limiting 4/5 days ago. This means that any traceroutes/pings > through them look awful (up to 60% apparent packet loss). After > contacting their NOC, they said that the directive to install the ICMP > rate limiting was from the Homeland Security folks and that they would not > remove them or change the rate at which they limit in the foreseeable > future. I guess this depends on the type of interconnect you have with them. If you're speaking across a public-IX or private (or even paid) peering link, this doesn't seem unreasonable that they would limit traffic to a particular percentage across that circuit. I think the key is to determine what is 'normal' and what obviously constitutes an out of the ordinary amount of ICMP traffic. If you're a customer, there's not really a good reason to rate-limit your icmp traffic. customers tend to notice and gripe. they expect a bit of loss when transiting a peering circuit or public fabric, and if the loss is only of icmp they tend to not care. This is why when I receive escalated tickets I check using non-icmp based tools as well as using icmp based tools. > What are other transit providers doing about this or is it just GLBX? here's one of many i've posted in the past, note it's also related to securing machines. http://www.ultraviolet.org/mail-archives/nanog.2002/0168.html I recommend everyone do such icmp rate-limits on their peering circuits and public exchange fabrics to what is a 'normal' traffic flow on your network. The above message from the archives is from Jan 2002, if these were a problem then and still are now, perhaps people should either 1) accept that this is part of normal internet operations, or 2) decide that this is enough and it's time to seriously do something about these things. - Jared -- Jared Mauch | pgp key available via finger from [email protected] clue++; | http://puck.nether.net/~jared/ My statements are only mine.
|