[AusNOG] network security Question

Geordie Guy elomis at gmail.com
Wed May 21 10:48:40 EST 2014


If your links are big enough to exhaust your control plane CPU why would
you limit ICMP instead of upgrading your control plane CPU to match your
link capacity?


On Wed, May 21, 2014 at 10:41 AM, Luke Iggleden <luke+ausnog at sisgroup.com.au
> wrote:

> Rate limiting router control planes is definitely required though if your
> links are big enough to kill your control plane cpu.
>
> I think police 5Mbit/s of ICMP to a border router control plane is
> acceptable.
>
> --
> Luke Iggleden
>
>
>
> On 21/05/2014 10:21 am, Chris Chaundy wrote:
>
>> If you are getting flooded with icmp, blocking/rate-limiting at your
>> border is pretty well pointless as the damage is already done - your
>> link is toast and the attackers don't give a damn about replies.
>>
>> And talking about DNS, don't even get started on NTP!!!  SIgh...
>>
>>
>> On Wed, May 21, 2014 at 10:15 AM, Joshua D'Alton <joshua at railgun.com.au
>> <mailto:joshua at railgun.com.au>> wrote:
>>
>>     Some places do this, Linode I believe in some locations (or perhaps
>>     their carriers/DCs?), just have to remember said hop (XYZ router(s)
>>     will always have some loss (usually 30%, its consistent). And what
>>     level, well presumably layer 3 ACLs?
>>
>>
>>     On Wed, May 21, 2014 at 10:08 AM, Alex Samad - Yieldbroker
>>     <Alex.Samad at yieldbroker.com <mailto:Alex.Samad at yieldbroker.com>>
>> wrote:
>>
>>         With the icmp, I was more thinking about rate limiting, all nice
>>         to allow it through, but I also rate limit.  Haven't got any
>>         shaping on, but I would be de prioritising a lot of icmp
>>
>>         Just wondering what sort of level do (if they do) rate limit icmp
>> to
>>
>>
>>     _______________________________________________
>>     AusNOG mailing list
>>     AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
>>     http://lists.ausnog.net/mailman/listinfo/ausnog
>>
>>
>>
>>
>>
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>
>>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140521/105abf12/attachment.html>


More information about the AusNOG mailing list