nanog mailing list archives
Re: ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms
From: Töma Gavrichenkov <ximaera () gmail com>
Date: Fri, 8 Mar 2019 18:44:05 +0300
On Fri, Mar 8, 2019 at 5:11 PM Saku Ytti <saku () ytti fi> wrote:
Personally I'm surprised if ICMP volume is relevant based on our netflow data.
Legitimate ICMP traffic volume — oh, that's for sure. But when it comes to attack volumes, it's a different story, and current netflow measurements might be a bad indicator here, as in "peacetime generals are always fighting the last war instead of the next one".
You are proposing that in this case, there is no such issue of delivering ICMPv6 messages to correct host
Guaranteed delivery of untrusted remote messages to exactly the particular host behind an equal cost fanout, if allowed in a DDoS mitigation network, is itself a problem, but that has been discussed in detail in the Section 6 of RFC 6437. My point is that it might be hard to find an affordable device that implements ECMP with v6 flow labels without a considerable performance impact. I would personally happy to see what others have tested in that regard. -- Töma
Current thread:
- Re: ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms, (continued)
- Re: ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms Bjørn Mork (Mar 05)
- Re: ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms Hunter Fuller (Mar 05)
- Re: ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms Fernando Gont (Mar 05)
- Re: ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms Mark Andrews (Mar 05)
- Re: ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms Saku Ytti (Mar 05)
- Re: ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms Joel Jaeggli (Mar 05)
- Re: ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms Saku Ytti (Mar 05)
- Re: ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms Töma Gavrichenkov (Mar 08)
- Re: ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms Saku Ytti (Mar 08)
- Re: ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms Tarko Tikan (Mar 08)
- Re: ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms Töma Gavrichenkov (Mar 08)
- Re: ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms Saku Ytti (Mar 08)
- Re: ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms Töma Gavrichenkov (Mar 08)
- Re: ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms Saku Ytti (Mar 08)
- RE: ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms adamv0025 (Mar 12)
- Re: ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms Saku Ytti (Mar 12)
- RE: ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms adamv0025 (Mar 12)
- Re: ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms Saku Ytti (Mar 12)
- RE: ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms adamv0025 (Mar 12)
- Re: ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms Saku Ytti (Mar 12)
- RE: ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms adamv0025 (Mar 13)