[65642] in North American Network Operators' Group
Re: Firewall stateful handling of ICMP packets
daemon@ATHENA.MIT.EDU (Adi Linden)
Wed Dec 3 22:56:43 2003
Date: Wed, 3 Dec 2003 21:53:59 -0600 (Central Standard Time)
From: Adi Linden <adil@adis.on.ca>
To: nanog@merit.edu
In-Reply-To: <sfce5f61.046@imail.mbs.gov.on.ca>
Errors-To: owner-nanog-outgoing@merit.edu
The problem with ICMP is that it is ICMP today. What will it be tomorrow?
It'll aways be putting out fires, controlling packet floods matching
whatever signature.
One solution is to get away from unlimited bandwidth. Once there is a cost
associated to having a PC source Nachi or Welchi traffic, customers will
learn to be more concerned and educate themselves. The cost doesn't have
to be moneytary. Progressive rate limiting could be used, where traffic
gets pinched as the allowed traffic per time slot is consumed.
Adi
