On Mon, Jan 28, 2019 at 08:49:31PM -0800, Richard Cochran wrote: > On Mon, Jan 28, 2019 at 05:24:37PM +0100, Miroslav Lichvar wrote: > > Add option unicast_max_message_rate to limit the rate of messages > > generated by the unicast service for all contracts of the port. > > When a request is received and the current rate of messages is so large > > that granting the service would exceed the maximum, deny the request. > > Do we really have to set an artificial limit?
I think we do. The unicast service is a very dangerous feature and by default the damage should be limited. Most people here probably know that PTP has no place on the Internet, but I'm certain someone somewhere will accidentally or intentionally expose a port with unicast service to the Internet, which can be abused for DoS attacks. I saw somewhere a list of commonly exploited protocols with highest traffic amplification. We should try to avoid helping PTP getting there and taking the first place. memcached is a similar service. It makes no sense to be accessible from the Internet, but you have probably heard how that turned out. > My original idea was to let the number of client be limited only by > the available memory. Paranoid sysadmins can throw ptp4l into a > C-group. The problem is with admins that are careless or don't understand PTP well enough to see the implications. The default configuration needs to be safe. > > The default value is 1024 messages per second, which corresponds to > > about 680 clients using the default announce and sync intervals, or 4 > > clients using the maximum rate of 128 messages per second. > > How did you arrive that those numbers? A client using logSyncInterval of 0 and logAnnounceInterval of 1 should get on average 1.5 messages per second. 1024 / 1.5 = ~682. For logSyncInterval -7 and logAnnounceInterval -7 that's 256 messages per second per client, so 1024 / 256 = 4. -- Miroslav Lichvar _______________________________________________ Linuxptp-devel mailing list Linuxptp-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/linuxptp-devel
