On Tue, Aug 04, 2015 at 05:57:47PM -0700, 🔓Dan Wing wrote:
> On 04-Aug-2015 12:17 pm, Jared Mauch <[email protected]> wrote:
> >
> > We sadly had to deploy some UDP limits at $dayjob due to
> > attack sizes. Once we did this the daily triage went away. We were not
> > happy about the E2E aspect of this but the damage is now limited and
> > people can literaly sleep better at night with fewer pages and escalations.
>
> Which does not bode well for WebRTC (which uses UDP for its SRTP and its data
> channel) or QUIC.
Yes, I think this is why the draft is important to discuss
at least so protocol people understand the operator challenges
faced.
Most people don't realize that TCP performance is many times
UDP performance in hosts as well.
[jared@npd ~]$ iperf -c localhost
------------------------------------------------------------
Client connecting to localhost, TCP port 5001
TCP window size: 2.50 MByte (default)
------------------------------------------------------------
[ 3] local 127.0.0.1 port 55428 connected with 127.0.0.1 port 5001
[ ID] Interval Transfer Bandwidth
[ 3] 0.0-10.0 sec 20.5 GBytes 17.6 Gbits/sec
[jared@npd ~]$ iperf -u -b 99999m -c localhost
------------------------------------------------------------
Client connecting to localhost, UDP port 5001
Sending 1470 byte datagrams, IPG target: 0.12 us (kalman adjust)
UDP buffer size: 208 KByte (default)
------------------------------------------------------------
[ 3] local 127.0.0.1 port 33166 connected with 127.0.0.1 port 5001
[ ID] Interval Transfer Bandwidth
[ 3] 0.0-10.0 sec 1.59 GBytes 1.37 Gbits/sec
[ 3] Sent 1163581 datagrams
[ 3] Server Report:
[ 3] 0.0-10.0 sec 1.59 GBytes 1.36 Gbits/sec 0.000 ms 5416/1163581 (0.47%)
This means you're not getting the UDP performance advantage
you think you are. The challenge here appears to be part of assumptions
which are clearly untrue.
Looking at my IPv4 stats:
89.4% TCP
10.5% UDP
0.15% ICMP
.. other
Doing a rate-limit like this:
ipv4 access-list ntp-limit
permit udp any eq 123 any
permit udp any eq 1900 any
permit udp any eq 19 any
Seems perfectly reasonable and has reduced the impact
of attacks seen by our customers.
- Jared
>
> -d
>
>
> >
> > - Jared
> >
> > --
> > Jared Mauch | pgp key available via finger from [email protected]
> > clue++; | http://puck.nether.net/~jared/ My statements are only mine.
> >
> > _______________________________________________
> > OPSEC mailing list
> > [email protected]
> > https://www.ietf.org/mailman/listinfo/opsec
>
--
Jared Mauch | pgp key available via finger from [email protected]
clue++; | http://puck.nether.net/~jared/ My statements are only mine.
_______________________________________________
OPSEC mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/opsec
