On 1/3/12 11:33 , Carlos Pignataro wrote: > Joel, Jared, > > On 12/27/2011 8:03 PM, Jared Mauch wrote: >> Joel, >> >> On Dec 24, 2011, at 1:28 PM, Joel jaeggli wrote: >> >>> So, something targeted through the forwarding plane that filters up to >>> the control plane will be filtered first either by source address or >>> passed through a rate limiter or both because those are the protections >>> we have that actually scale. Authentication increases the vulnerability >>> to some kinds of abuse rather that decreasing it. >> >> >> Thanks. I think I mentioned this in another message, but captures an >> important >> concern about the network elements being managed. Implementation details >> matter. >> > > Yes, this is an inband packet flowing through the forwarding plane, that > upon exception needs processing. What you describe is the existing > traceroute mechanism, as well as other protocols, some widely > operationally deployed (including MPLS Ping in RFC 4379 with the > complexity and computational expense of a dsmap hashing, RAO in RFC 5971 > and RSVP, etc).
The existing icmp exception generation mechanism can and is distributed to line card cpus in some router platforms. there's quantitative differences associated with handling those requests in a distributed fashion and punting them up to the control plane because you need more information than is generally available on a linecard in order to process the request. that applies both to the contents and the authentication mechanism. > I agree with your point that authentication increases the surface area > for abuse in some conditions. I think that one approach here is to > describe, in an applicability statement, in which cases an > authentication is useful versus in which ones it is potentially harmful. > Would you agree? I think that would be acceptable. > Also, please note that the authentication mechanism is not the most > important part of draft-shen-traceroute-ping-ext. > > Thanks, > > -- Carlos. > >> - Jared >> >> > _______________________________________________ Int-area mailing list Int-area@ietf.org https://www.ietf.org/mailman/listinfo/int-area