nanog mailing list archives
Re: ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms
From: Saku Ytti <saku () ytti fi>
Date: Fri, 8 Mar 2019 16:11:31 +0200
Hey Töma,
NB: Cloudflare is basically busy filtering excessive amounts of spoofed ICMP packets containing whatever parameters and payload criminals could fit into, at virtually no cost for a customer. Your list might become somewhat short then.
I don't know what is the problem is here, but the Cloudflare blog documents one specific problem related to ECMP, where the ICMPv6 messages arrive at wrong host and some solutions they are using to overcome that problem. You are proposing that in this case, there is no such issue of delivering ICMPv6 messages to correct host, but in this case issue is voluntary protection mechanism against too high volume of bad ICMPv6 packets. Is this something you personally are aware of or is this something you suspect might explain the problem? Personally I'm surprised if ICMP volume is relevant based on our netflow data. And I've personally been affected in own deployments with the ECMP problem and have solved it by just sending smaller packets. I understand it to be common problem and it would be good if we'd start asking vendors to fix the problem. The Cloudflare blog entry is 4 years old, if they had started actively pursuing proper fix to the ECMP problem, the fix would be in production right about now. -- ++ytti
Current thread:
- Re: ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms,Re: ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms, (continued)
- Re: ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms,Re: ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms sthaug (Mar 05)
- Re: ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms Stephen Satchell (Mar 05)
- Re: ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms Bjørn Mork (Mar 05)
- Re: ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms Hunter Fuller (Mar 05)
- Re: ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms Fernando Gont (Mar 05)
- Re: ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms Mark Andrews (Mar 05)
- Re: ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms Saku Ytti (Mar 05)
- Re: ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms Joel Jaeggli (Mar 05)
- Re: ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms Saku Ytti (Mar 05)
- Re: ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms Töma Gavrichenkov (Mar 08)
- Re: ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms Saku Ytti (Mar 08)
- Re: ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms Tarko Tikan (Mar 08)
- Re: ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms Töma Gavrichenkov (Mar 08)
- Re: ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms Saku Ytti (Mar 08)
- Re: ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms Töma Gavrichenkov (Mar 08)
- Re: ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms Saku Ytti (Mar 08)
- RE: ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms adamv0025 (Mar 12)
- Re: ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms Saku Ytti (Mar 12)
- RE: ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms adamv0025 (Mar 12)
- Re: ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms Saku Ytti (Mar 12)
- RE: ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms adamv0025 (Mar 12)