(Tailed down the cc:) On Wed, 7 Jan 2004, Fred Templin wrote: > >Why not limit the rate of ICMPv6 error messages to a particular > >source by using even the token-bucket based method ? > > I would be concerned about the overhead for caching per-source > information, especially in low-end routers. But, that's just an > off-the-cuff remark and not well thought out in terms of all > the implications.
I'm worried about the same thing -- and I don't think source-based token-bucket is justified. Sure, feel free to do so, but a regular one should work just as well with sufficiently large burst allowance (e.g., 50-100 packets). If someone is DoS'ing you it may actually be a feature that you don't consider the source .. you can't overload the box by spoofing different source addresses :-) W.r.t. the other thread, I don't have objections to giving an implementation hint on the parameters -- it's just that I don't think it's really needed. -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings -------------------------------------------------------------------- IETF IPv6 working group mailing list [EMAIL PROTECTED] Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------