ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms

• Previous message (by thread): ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms
• Next message (by thread): ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Mar 8, 2019 at 5:11 PM Saku Ytti <saku at ytti.fi> wrote:
> Personally I'm surprised if ICMP volume is relevant based on our
> netflow data.

Legitimate ICMP traffic volume — oh, that's for sure.

But when it comes to attack volumes, it's a different story, and
current netflow measurements might be a bad indicator here, as in
"peacetime generals are always fighting the last war instead of the
next one".

> You are proposing that in this case, there is no such issue of
> delivering ICMPv6 messages to correct host

Guaranteed delivery of untrusted remote messages to exactly the
particular host behind an equal cost fanout, if allowed in a DDoS
mitigation network, is itself a problem, but that has been discussed
in detail in the Section 6 of RFC 6437.

My point is that it might be hard to find an affordable device that
implements ECMP with v6 flow labels without a considerable performance
impact. I would personally happy to see what others have tested in
that regard.

--
Töma

• Previous message (by thread): ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms
• Next message (by thread): ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]