<div dir="ltr">If your links are big enough to exhaust your control plane CPU why would you limit ICMP instead of upgrading your control plane CPU to match your link capacity?</div><div class="gmail_extra"><br><br><div class="gmail_quote">
On Wed, May 21, 2014 at 10:41 AM, Luke Iggleden <span dir="ltr"><<a href="mailto:luke+ausnog@sisgroup.com.au" target="_blank">luke+ausnog@sisgroup.com.au</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Rate limiting router control planes is definitely required though if your links are big enough to kill your control plane cpu.<br>
<br>
I think police 5Mbit/s of ICMP to a border router control plane is acceptable.<br>
<br>
-- <br>
Luke Iggleden<div class=""><br>
<br>
<br>
On 21/05/2014 10:21 am, Chris Chaundy wrote:<br>
</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="">
If you are getting flooded with icmp, blocking/rate-limiting at your<br>
border is pretty well pointless as the damage is already done - your<br>
link is toast and the attackers don't give a damn about replies.<br>
<br>
And talking about DNS, don't even get started on NTP!!! SIgh...<br>
<br>
<br>
On Wed, May 21, 2014 at 10:15 AM, Joshua D'Alton <<a href="mailto:joshua@railgun.com.au" target="_blank">joshua@railgun.com.au</a><br></div><div class="">
<mailto:<a href="mailto:joshua@railgun.com.au" target="_blank">joshua@railgun.com.au</a>><u></u>> wrote:<br>
<br>
Some places do this, Linode I believe in some locations (or perhaps<br>
their carriers/DCs?), just have to remember said hop (XYZ router(s)<br>
will always have some loss (usually 30%, its consistent). And what<br>
level, well presumably layer 3 ACLs?<br>
<br>
<br>
On Wed, May 21, 2014 at 10:08 AM, Alex Samad - Yieldbroker<br></div><div class="">
<<a href="mailto:Alex.Samad@yieldbroker.com" target="_blank">Alex.Samad@yieldbroker.com</a> <mailto:<a href="mailto:Alex.Samad@yieldbroker.com" target="_blank">Alex.Samad@<u></u>yieldbroker.com</a>>> wrote:<br>
<br>
With the icmp, I was more thinking about rate limiting, all nice<br>
to allow it through, but I also rate limit. Haven't got any<br>
shaping on, but I would be de prioritising a lot of icmp<br>
<br>
Just wondering what sort of level do (if they do) rate limit icmp to<br>
<br>
<br>
______________________________<u></u>_________________<br>
AusNOG mailing list<br></div>
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a> <mailto:<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.<u></u>net</a>><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/<u></u>mailman/listinfo/ausnog</a><div class=""><br>
<br>
<br>
<br>
<br>
______________________________<u></u>_________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/<u></u>mailman/listinfo/ausnog</a><br>
<br>
</div></blockquote><div class="HOEnZb"><div class="h5">
<br>
<br>
______________________________<u></u>_________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/<u></u>mailman/listinfo/ausnog</a><br>
</div></div></blockquote></div><br></div>