Re: [IPFIX] draft-ietf-ipfix-protocol-26.txt

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Scott
Historically the biggest issue with IPFIX has been that most
implementers want to run it over UDP with consequences be dammed.  -
this was weaseled in the IPFIX Requirements document (RFC 3917) by
requiring (in section 6.3.1) that "For the data transfer, a congestion
aware protocol must be supported."  This draft meets that requirement by
making the implementation of SCTP a MUST.  That will not stop many
implementers from ignoring the requirement for implementation or users
to enable UDP and thus creating a potentially very high bandwidth
non-congestion avoiding fire hose that can quite easily wipe out a net
by misconfiguration or become a DoS engine by purposeful configuration.

I'm not sure if anything can be actually be done about this risk - It
might help some to say that UDP is a "MUST NOT" but I doubt it - in any
case it would help somewhat, imho, to expand section 10.3 to be clearer
about the threats posed by any use of a non-congestion avoiding
transport protocol or to do that in the Security Considerations section

There is text in section 10.1 which states:

UDP MAY be used although it is not a congestion aware protocol. However, the IPFIX traffic between Exporter and Collector MUST run in an environment where IPFIX traffic has been provisioned for or is contained through some other means. This sets out the set of conditions that MUST be fulfilled in order to run IPFIX over
UDP safely.

Stewart

_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]