Inflexible ICMP6 Error-limiting Considered Harmful

kuznet@ms2.inr.ac.ru kuznet@ms2.inr.ac.ru
Thu, 19 Jul 2001 23:04:11 +0400 (MSK DST)

Previous message: Inflexible ICMP6 Error-limiting Considered Harmful
Next message: Inflexible ICMP6 Error-limiting Considered Harmful
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello!

> >Real fix would be to implement _error-rate_, in addition to
> >_error-interval_ (with sane defaults).  For example, if sampling period
> >would be 100 ms and it would be acceptable to have 5 _packets_ per period,
> >the potential denial of service attacks would be prevented but the
> >traceroute, etc. functionality would still work.
> 
> 	during KAME development process, it was found that error interval
> 	limitation is not a good way.  we now impose "maximum N outgoing
> 	icmp6 per second" (packet-per-second) limitation, which works quite
> 	well.


Right worda are "token bucket filter". And no more words are required
to implement this trivial algorithm.

Alexey

Previous message: Inflexible ICMP6 Error-limiting Considered Harmful
Next message: Inflexible ICMP6 Error-limiting Considered Harmful
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]