On Wed, 19 Aug 2015 19:53:48 +0000 "Smith, Donald" <[email protected]> wrote:
> But I am not sure that supports their original statement about ISPs > limiting udp. I took the context of the discussion at face value. Also, if I'm not mistaken,the draft refers more generally to "network operators", which may include a whole class of networks. I'm not supportive of the draft's recommendation on that more general basis and I'm not aware of so-called transit ISPs that do this already, but there are networks and network operators that have and do rate limit at borders and throughout their network. Semantics. :-) > However if they just said some networks may rate limit udp ... it > would still cover the basic concept without making any false claims. That would be better I agree and if their was some discussion about the trade-offs of doing these sorts of things, and perhaps some discussion about the effects of them depending on where they reside, that might be helpful too. > If our enterprise started seeing a lot of udp reflective attacks I > would recommend this approach if we could limit it to a specific set > of ports. There is likely going to be some number of benign packets that are going to be dropped. Clients that just happen to pick the unlucky ephemeral value of 1900 (or whatever other unlucky value is being filtered) plus the occasional port selection by NAPT devices will be caught up in the packet dropping dragnet. Some people clearly don't mind this collateral damage and no amount of e2e talk will convince everyone. This too should be clearly spelled out so the trade-offs, potential problems and *sob* loss of transparency are documented. John _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
