On 06/12/2018 00:14, Brian E Carpenter wrote:
On 2018-12-05 21:52, Gert Doering wrote:
Hi,
On Tue, Dec 04, 2018 at 10:57:43PM -0500, Christopher Morrow wrote:
HA! ok. As gert/nick noted ... we have Nx100G links today (at the edge) and
coming nx400G ... there's just not a reasonable story for "dpi" there. (I
suppose: "yet" and "without paying the approximate value Coca-Cola
Companies yearly advertising budget")
Indeed.
Unfortunately, there *is* a story for being able to rate-limit incoming
crap by protocol type - "give me no more than 200 Mbit/s of UDP packets
coming from source port 53".
Which implies that as soon as the evil guys out there find a way to
generate DDoS streams carrying EHs that our border routers will (have to)
apply very strict rate limiting to everything they do not understand.
- pass TCP
- rate-limit UDP on well-known reflective attacks port
- pass rest of UDP
- rate-limit ICMP
- rate-limit fragments
- rate-limit all the rest to something which can never exceed a customer's
access-link
game over, EH
Just to point out that this is equivalent to saying "game over, any new layer 4 protocol" too. For example, you just killed SCTP. And the same goes for new protocols over IPv4.
Brian
... a consequence of the original design decision to make options and
next protocols indistinguishable other than by knowing the full set of
next protocol types.
However, aren't we moving to a world where new protocols get carried
over UDP anyway? This is needed so that those protocols can pass
through NATS and firewalls, and be subjected to ECMP to spread them
across the available paths.
- Stewart
(We're not doing this today, because as of today, "volume DDoS" comes in
without EHs [except fragment] - but this is just a matter of time)
Gert Doering
-- NetMaster
