On 2009/11/18, at 18:46, Fred Baker wrote:
On Nov 18, 2009, at 6:22 PM, Arifumi Matsumoto wrote:
I guess that is because if you force to try all the pairs, it
perfectly
ignores the address selection manner defined in RFC 3484, and thus,
it gives us not little impact.
If they space them closely and run them in parallel, I guess I don't
see the impact. Imagine you have five addresses and your peer has
five addresses, so there are 25 pairs. Imagine you are spacing the
SYNs 10 ms apart. Imagine that the only pair that works is the last
one you try. worst case, you find out 2.5 seconds plus one RTT which
will work. If you cache the result, that only happens once, and if
you don't, how does that compare to the current model in which you
pick one address pair by some algorithm and wait for a TCP timeout
before trying another?
If the packets go through, the servers are going to be flooded.
If the packets are filtered at ingress filterings, site administrators
are going to be flooded :)
Also, I guess too many error packets and following error messages that
have to be generated should not be desirable.
--
Arifumi Matsumoto
Secure Communication Project
NTT Information Sharing Platform Laboratories
E-mail: [email protected]
--------------------------------------------------------------------
IETF IPv6 working group mailing list
[email protected]
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
