[26804] in North American Network Operators' Group
Re: ICMP rate limiting on EGRESS (Warning, operational content inside)
daemon@ATHENA.MIT.EDU (Sam Thomas)
Mon Jan 17 12:22:38 2000
Date: Mon, 17 Jan 2000 17:20:31 +0000
From: Sam Thomas <sthomas@lart.net>
To: Alex Bligh <amb@gxn.net>
Cc: Sean Donelan <sean@donelan.com>, bmanning@vacation.karoshi.com,
nanog@merit.edu
Message-ID: <20000117172031.B9357@lart.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <E12AF8I-0002gj-00@sapphire.noc.gxn.net>; from Alex Bligh on Mon, Jan 17, 2000 at 04:35:58PM +0000
Errors-To: owner-nanog-outgoing@merit.edu
On Mon, Jan 17, 2000 at 04:35:58PM +0000, Alex Bligh wrote:
>
> Sean Donelan wrote:
> > Or is this a case, if we had thought about it, we would have prohibited
> > it at the start; but now its in the wild we don't know how to get it back
> > in the barn.
>
> Mmmm... we got onto this argument by someone implying we wouldn't need
> this sort of defensive technique (ICMP rate limiting on egress)
> if source-spoofed weren't transmittable (or weren't widely transmittable).
if we're getting into an argument, then just forget it. I would much
rather see a proper discussion of the matter, with useful solutions.
> I agree. However as you are demonstrating, whilst getting to this
> utopia would be great, getting there will take a long time. I'm sure
> we *might* also fix DoS attacks using some sort of interprovider MPLS
> or like to provide QoS negotiation (and that'll also give you non-destination
> based routing) .... and I bet that even if this could
> be got to work, it would take even longer.
the point I am trying to make is that ICMP rate limiting is duct-tape, and
won't fix the problem long-term. rate-limiting at egress points is a good
idea, will plug an immediate leak, make the exchanges safer, and help
curb a growing problem, but it is not a long-term solution. we need to make
a commitment and determine a correct course of action to get to the "utopia"
in the long term. it is my fear that as we focus on installing stop-gaps
one after the other, we will eventually break legitimate networking. if
nobody is interested in working on things that will take a long time to
implement, then we are already doomed to failure.
> In the mean time, ICMP rate limiting is here now and deployable for
> most people at these exchangepoints today.
it is exactly this mode of thinking that prevents folks from focusing on
good long-term engineering solutions. it's quick, easy, and fixes the
problem until it breaks and we have to come up with yet another clever
tape-on hack.
