[AusNOG] network security Question
Jonathan Thorpe
jthorpe at Conexim.com.au
Wed May 21 10:54:23 EST 2014
Because you often can’t upgrade the control plane and in general, you don’t expect your control plane to handle your link capacity. The only exception to this is software-based routers which I assume we’re not talking about here.
From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Geordie Guy
Sent: Wednesday, 21 May 2014 10:49 AM
To: Luke Iggleden
Cc: <ausnog at lists.ausnog.net>
Subject: Re: [AusNOG] network security Question
If your links are big enough to exhaust your control plane CPU why would you limit ICMP instead of upgrading your control plane CPU to match your link capacity?
On Wed, May 21, 2014 at 10:41 AM, Luke Iggleden <luke+ausnog at sisgroup.com.au<mailto:luke+ausnog at sisgroup.com.au>> wrote:
Rate limiting router control planes is definitely required though if your links are big enough to kill your control plane cpu.
I think police 5Mbit/s of ICMP to a border router control plane is acceptable.
--
Luke Iggleden
On 21/05/2014 10:21 am, Chris Chaundy wrote:
If you are getting flooded with icmp, blocking/rate-limiting at your
border is pretty well pointless as the damage is already done - your
link is toast and the attackers don't give a damn about replies.
And talking about DNS, don't even get started on NTP!!! SIgh...
On Wed, May 21, 2014 at 10:15 AM, Joshua D'Alton <joshua at railgun.com.au<mailto:joshua at railgun.com.au>
<mailto:joshua at railgun.com.au<mailto:joshua at railgun.com.au>>> wrote:
Some places do this, Linode I believe in some locations (or perhaps
their carriers/DCs?), just have to remember said hop (XYZ router(s)
will always have some loss (usually 30%, its consistent). And what
level, well presumably layer 3 ACLs?
On Wed, May 21, 2014 at 10:08 AM, Alex Samad - Yieldbroker
<Alex.Samad at yieldbroker.com<mailto:Alex.Samad at yieldbroker.com> <mailto:Alex.Samad at yieldbroker.com<mailto:Alex.Samad at yieldbroker.com>>> wrote:
With the icmp, I was more thinking about rate limiting, all nice
to allow it through, but I also rate limit. Haven't got any
shaping on, but I would be de prioritising a lot of icmp
Just wondering what sort of level do (if they do) rate limit icmp to
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net<mailto:AusNOG at lists.ausnog.net> <mailto:AusNOG at lists.ausnog.net<mailto:AusNOG at lists.ausnog.net>>
http://lists.ausnog.net/mailman/listinfo/ausnog
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net<mailto:AusNOG at lists.ausnog.net>
http://lists.ausnog.net/mailman/listinfo/ausnog
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net<mailto:AusNOG at lists.ausnog.net>
http://lists.ausnog.net/mailman/listinfo/ausnog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140521/6b2fa03e/attachment-0001.html>
More information about the AusNOG
mailing list