ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms

• Previous message (by thread): ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms
• Next message (by thread): ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hey Töma,

> NB: Cloudflare is basically busy filtering excessive amounts of spoofed ICMP packets containing whatever parameters and payload criminals could fit into, at virtually no cost for a customer. Your list might become somewhat short then.

I don't know what is the problem is here, but the Cloudflare blog
documents one specific problem related to ECMP, where the ICMPv6
messages arrive at wrong host and some solutions they are using to
overcome that problem.
You are proposing that in this case, there is no such issue of
delivering ICMPv6 messages to correct host, but in this case issue is
voluntary protection mechanism against too high volume of bad ICMPv6
packets. Is this something you personally are aware of or is this
something you suspect might explain the problem?

Personally I'm surprised if ICMP volume is relevant based on our
netflow data. And I've personally been affected in own deployments
with the ECMP problem and have solved it by just sending smaller
packets. I understand it to be common problem and it would be good if
we'd start asking vendors to fix the problem. The Cloudflare blog
entry is 4 years old, if they had started actively pursuing proper fix
to the ECMP problem, the fix would be in production right about now.


-- 
  ++ytti

• Previous message (by thread): ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms
• Next message (by thread): ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]