RE: more on filtering

["Matthew Kaufman" <matthew () eeph com>]

Tell that to Cisco, Nortel, and any other vendor that can handle huge rates
of traffic that conform to "typical" but, when the pattern of addresses (or
options) in the packets cause the flow cache to thrash, die under loads far
below line rate. (See Cisco's
http://www.cisco.com/warp/public/63/ts_codred_worm.shtml as an example) 

Tell that to any router, switch, or end system vendor who recently found out
what happened when a worm forces near-simultaneous arp requests for every
possible address on a subnet.

I'm afraid that those of us building actual networks are forced to do so
using actual hardware that actually exists today, and using actual hardware
that was actually purchased several years ago and which cannot be forklifted
out.

You call the network "obviously broken", I call it "the only one that can be
built today".

Matthew Kaufman
matthew () eeph com

> -----Original Message-----
> From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On 
> Behalf Of Greg Maxwell
> Sent: Thursday, October 30, 2003 7:48 PM
> To: Chris Parker
> Cc: Alex Yuriev; nanog () merit edu
> Subject: Re: more on filtering
>
>
>
> On Thu, 30 Oct 2003, Chris Parker wrote:
>
> > The source of the problem of bad packets is where they 
> ingress to my 
> > network.  I disconnect the flow of bad packets thorugh filtering.  
> > What is the difference, other than I do not remove an entire 
> > interconnect, only the portion of packets that is affecting 
> my ability 
> > to provide services?
>
> If the *content* of the packets is breaking your network: 
> Your network is obviously broken.