Thanks Martin. We should have an updated document shortly.
Anoop On Fri, Jun 6, 2014 at 7:47 AM, Martin Thomson <[email protected]> wrote: > On 5 June 2014 20:29, Anoop Ghanwani <[email protected]> wrote: > > It is possible for a sophisticated attacker with knowledge of the > details of > > large flow recognition algorithm (packet fields used and parameters of > the > > algorithm) and the network topology to launch an attack in which > sufficient > > traffic is generated so as to result in the flow being recognized as a > large > > flow resulting the the installation of a PBR rule. Subsequently, the > > attacker can generate traffic for other such flows resulting in consuming > > entries in the PBR table until the older, inactive flows are removed. > > I had a little trouble parsing this, perhaps: > > An attacker with knowledge of the large flow recognition algorithm and > any stateless distribution method can generate flows that are > distributed in a way that overloads a specific path. This could be > used to cause the creation of PBR rules that exhaust the available > rule capacity on nodes. If PBR rules are consequently discarded, this > could result in congestion on the attacker-selected path. > Alternatively, tracking large numbers of PBR rules could result in > performance degradation. >
_______________________________________________ Gen-art mailing list [email protected] https://www.ietf.org/mailman/listinfo/gen-art
