On Wed, 1 Aug 2001, Chris Wedgwood wrote:
> --- cheap router thing
>
> "really good ping responder" is a pointless purpose.
bad ping responder == bad PR ;-)
And anyway, who is anyone to judge what the system should be used for?
I want a system to respond to ping without limitations; it's good for
debugging, diagnostics, etc. If I want, I can just filter the requests
out, or rate-limit the responses.
However, ICMP error messages cannot be effectively filtered; they may
happen due to TTL=0 when forwarding, legit or illegit UDP connection etc.;
only way to effectively limit them is by rate-limiting. If rate-limiting
with informational and error types are the same, we have an inflexible
situation here.
> Then kernel must be shipped out without rate-limiting enabled by
> default, that's problem.
>
> I guess I missed something. That doesn't seem like a problem to
> me... and if you need to ship with a rate by default, then ship with a
> very-high rate. I've never managed to respond to more than 60,000
> ICMP packets/second, so I suggest 60,001.
Yes you did. 60,000 responses/sec is effectively no protection at all,
and most people would appeaciate protection for the error messages, which
are crucial to the working of TCP/IP; not so with informational ICMP
messages.
And by the way, rate-limiting ICMP error messages is a MUST item for IPv6.
--
Pekka Savola "Tell me of difficulties surmounted,
Netcore Oy not those you stumble over and fall"
Systems. Networks. Security. -- Robert Jordan: A Crown of Swords
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
|