ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms
Töma Gavrichenkov
ximaera at gmail.com
Fri Mar 8 15:44:05 UTC 2019
On Fri, Mar 8, 2019 at 5:11 PM Saku Ytti <saku at ytti.fi> wrote:
> Personally I'm surprised if ICMP volume is relevant based on our
> netflow data.
Legitimate ICMP traffic volume — oh, that's for sure.
But when it comes to attack volumes, it's a different story, and
current netflow measurements might be a bad indicator here, as in
"peacetime generals are always fighting the last war instead of the
next one".
> You are proposing that in this case, there is no such issue of
> delivering ICMPv6 messages to correct host
Guaranteed delivery of untrusted remote messages to exactly the
particular host behind an equal cost fanout, if allowed in a DDoS
mitigation network, is itself a problem, but that has been discussed
in detail in the Section 6 of RFC 6437.
My point is that it might be hard to find an affordable device that
implements ECMP with v6 flow labels without a considerable performance
impact. I would personally happy to see what others have tested in
that regard.
--
Töma
More information about the NANOG
mailing list