[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Inflexible ICMP6 Error-limiting Considered Harmful

	this portion is implementation-dependent (as described in RFC2463) so
	noone is right and noone is wrong, but...

>Real fix would be to implement _error-rate_, in addition to
>_error-interval_ (with sane defaults).  For example, if sampling period
>would be 100 ms and it would be acceptable to have 5 _packets_ per period,
>the potential denial of service attacks would be prevented but the
>traceroute, etc. functionality would still work.

	during KAME development process, it was found that error interval
	limitation is not a good way.  we now impose "maximum N outgoing
	icmp6 per second" (packet-per-second) limitation, which works quite