On 06/12/2018 02:37, Fernando Gont wrote:
On 5/12/18 21:14, Brian E Carpenter wrote:
On 2018-12-05 21:52, Gert Doering wrote:
Hi,
On Tue, Dec 04, 2018 at 10:57:43PM -0500, Christopher Morrow wrote:
HA! ok. As gert/nick noted ... we have Nx100G links today (at the edge) and
coming nx400G ... there's just not a reasonable story for "dpi" there. (I
suppose: "yet" and "without paying the approximate value Coca-Cola
Companies yearly advertising budget")
Indeed.
Unfortunately, there *is* a story for being able to rate-limit incoming
crap by protocol type - "give me no more than 200 Mbit/s of UDP packets
coming from source port 53".
Which implies that as soon as the evil guys out there find a way to
generate DDoS streams carrying EHs that our border routers will (have to)
apply very strict rate limiting to everything they do not understand.
- pass TCP
- rate-limit UDP on well-known reflective attacks port
- pass rest of UDP
- rate-limit ICMP
- rate-limit fragments
- rate-limit all the rest to something which can never exceed a customer's
access-link
game over, EH
Just to point out that this is equivalent to saying "game over, any new layer 4 protocol" too. For example, you just killed SCTP. And the same goes for new protocols over IPv4.
Not exactly the same. If you are using a new transport protocols (*)
without any EHs, you have already found the upper-layer protocol. May
allow or drop, but that's it. With EHs, if you need to do packet
filtering or ECMP, you need to follow the EH chain.The later
(particularly if the EH) is normally going to cause issues, where the
former would not.
I think the problem is that it is very difficult to teach the core about
any new
transport protocol.
- Stewart