nanog mailing list archives

Re: Firewall stateful handling of ICMP packets


From: Adi Linden <adil () adis on ca>
Date: Wed, 3 Dec 2003 21:53:59 -0600 (Central Standard Time)


The problem with ICMP is that it is ICMP today. What will it be tomorrow?
It'll aways be putting out fires, controlling packet floods matching
whatever signature.

One solution is to get away from unlimited bandwidth. Once there is a cost
associated to having a PC source Nachi or Welchi traffic, customers will
learn to be more concerned and educate themselves. The cost doesn't have
to be moneytary. Progressive rate limiting could be used, where traffic
gets pinched as the allowed traffic per time slot is consumed.

Adi


Current thread: