|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
From: Alex Bligh <amb@gxn.net>
To: Sean Donelan <sean@donelan.com>
Cc: bmanning@vacation.karoshi.com, nanog@merit.edu
In-reply-to: Your message of "17 Jan 2000 08:07:36 PST."
<20000117160736.22827.cpmta@c004.sfo.cp.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Mon, 17 Jan 2000 16:35:58 +0000
Message-Id: <E12AF8I-0002gj-00@sapphire.noc.gxn.net>
Errors-To: owner-nanog-outgoing@merit.edu
Sean Donelan wrote:
> Or is this a case, if we had thought about it, we would have prohibited
> it at the start; but now its in the wild we don't know how to get it back
> in the barn.
Mmmm... we got onto this argument by someone implying we wouldn't need
this sort of defensive technique (ICMP rate limiting on egress)
if source-spoofed weren't transmittable (or weren't widely transmittable).
I agree. However as you are demonstrating, whilst getting to this
utopia would be great, getting there will take a long time. I'm sure
we *might* also fix DoS attacks using some sort of interprovider MPLS
or like to provide QoS negotiation (and that'll also give you non-destination
based routing) .... and I bet that even if this could
be got to work, it would take even longer.
In the mean time, ICMP rate limiting is here now and deployable for
most people at these exchangepoints today.
--
Alex Bligh
GX Networks (formerly Xara Networks)
|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |