Inflexible ICMP6 Error-limiting Considered Harmful

itojun@iijlab.net itojun@iijlab.net
Thu, 19 Jul 2001 00:48:17 +0900

Previous message: Inflexible ICMP6 Error-limiting Considered Harmful
Next message: Inflexible ICMP6 Error-limiting Considered Harmful
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

	this portion is implementation-dependent (as described in RFC2463) so
	noone is right and noone is wrong, but...

>Real fix would be to implement _error-rate_, in addition to
>_error-interval_ (with sane defaults).  For example, if sampling period
>would be 100 ms and it would be acceptable to have 5 _packets_ per period,
>the potential denial of service attacks would be prevented but the
>traceroute, etc. functionality would still work.

	during KAME development process, it was found that error interval
	limitation is not a good way.  we now impose "maximum N outgoing
	icmp6 per second" (packet-per-second) limitation, which works quite
	well.

itojun

Previous message: Inflexible ICMP6 Error-limiting Considered Harmful
Next message: Inflexible ICMP6 Error-limiting Considered Harmful
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]