Hi, On Thu, Dec 06, 2018 at 01:14:54PM +1300, Brian E Carpenter wrote: > > Which implies that as soon as the evil guys out there find a way to > > generate DDoS streams carrying EHs that our border routers will (have to) > > apply very strict rate limiting to everything they do not understand. > > > > - pass TCP > > - rate-limit UDP on well-known reflective attacks port > > - pass rest of UDP > > - rate-limit ICMP > > - rate-limit fragments > > - rate-limit all the rest to something which can never exceed a customer's > > access-link > > > > game over, EH > > Just to point out that this is equivalent to saying "game over, > any new layer 4 protocol" too. For example, you just killed SCTP. > And the same goes for new protocols over IPv4.
Well. Since nobody is using SCTP, it can nicely live in the
"rate-limit all the rest to something ..." bucket...
But yes, "any new layer 4 protocol" is likely to not work in an Internet
that is basically full of hostile packets *in high volumes*.
Trying to run large volume traffic over UDP/443 is going to be the next
excercise in "operators told you that is isn't going to work"...
Gert Doering
-- NetMaster
--
have you enabled IPv6 on something today...?
SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
signature.asc
Description: PGP signature
_______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
