Brian, Peka,
There is no doubt that setting ICMP rate limiting per node in a router with both slow and fast interfaces to accomodate one interface may be very detrimental to the other: imagine T1 and 1Gbit Ethernet interfaces; 1% of a T1s 1.5Mbit/sec is 15kbit/sec, which is 0.00000015% of a 1Gbit/sec, and 1% of a 1Gbit/Sec is 10Mbit/sec, way over 1.5Mbit/sec.
That being said, I am sorry that my message was badly phrased, and so it misguided your answers. Nevermind!
Essentially, I was looking for something like the references I am mentioning below. These references provide examples of rate limiting ICMP per interface in LINUX systems, as well as CISCO routers, supposedly in relationship to traffic managament.
I think these references answer Peka's original concern of 2 implementations that support ICMP rate control per intereface:
***Number 1: On the LINUX.ORG WEB site - more exactly:
http://www.linux.org/docs/ldp/howto/Adv-Routing-HOWTO/lartc.cookbook.icmp-ratelimit.html
refers to the "Linux Advanced Routing & Traffic Control HOWTO Cookbook, chapter 15", also available at:
http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.cookbook.icmp-ratelimit.html
in which it is shown how to limit in LUNIX, ICMP rate on a Ethernet interface:
----excerpt We first set up the prerequisite parts:
# tc qdisc add dev eth0 root handle 10: cbq bandwidth 10Mbit avpkt 1000
# tc class add dev eth0 parent 10:0 classid 10:1 cbq bandwidth 10Mbit rate \
10Mbit allot 1514 prio 5 maxburst 20 avpkt 1000
Now we need a filter to assign ICMP traffic to this class:
# tc filter add dev eth0 parent 10:0 protocol ip prio 100 u32 match ip protocol 1 0xFF flowid 10:100
----end of excerpt
***Number 2
On the WEB site:
http://www.cisco.com/en/US/products/hw/modules/ps2710/products_data_sheet09186a008015cfee.html
the "Cisco 12000 Series 4-Port Gigabit Ethernet ISE Line Card Features and Functions " refers to
"ICMP rate limiting on port and VLAN level".
****Number 3
on
http://www.cisco.com/en/US/tech/tk583/tk385/technologies_white_paper09186a0080174a5b.shtml
there is a reference on how to use CAR to rate limit ICMP packets in the following example:
----excerpt interface xy rate-limit output access-group 2020 3000000 512000 786000 conform-action transmit exceed-action drop
access-list 2020 permit icmp any any echo-reply
------end of excerpt
****Number 4
http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=20262795-2000061744t-10000005c
Provides another Cisco IOS example:
----------excerpt
config t
Access-list 100 permit icmp any {your network} {your subnet} echo-reply
Access-list 100 permit icmp any (your Network) (your Subnet) echo
Interface e1
Rate-limit input access-group 100 512000 8000 8000 conform action transmit exceed action drop
-------end of excerpt
Brian Haley wrote:
Alex Conta wrote:
Are there any implementations were ICMP rate limiting is implemented separately from other protocol packets traffic management (traffic shaping)?
HP has at least one UNIX that does ICMPv6 and Mobility Header in common code, Linux does ICMPv4/v6 together on a per-route basis.
If an IP implementation has support for traffic management, the packet schedulers (traffic shaping) associated with interfaces, handle ICMP rate limiting per interface (in terms of both configuring and rate limiting) similarly to other protocol packets traffic shaping per interface.
Not true in the cases I cited.
-Brian
Pekka Savola wrote:
On Thu, 5 Aug 2004, Alex Conta wrote:
"The rate-limiting parameters SHOULD be configurable per node,
if the node has similar speed/bandwidth interfaces, and/or per interface, if the node has disimilar speed/bandwidth interfaces".
I'm slightly concerned whether we have two implementations of interface-specific rate-limiting parameters, required for Draft Standard. Do you know of any?
------------------------------------------------------------------------
-------------------------------------------------------------------- IETF IPv6 working group mailing list [EMAIL PROTECTED] Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
smime.p7s
Description: S/MIME Cryptographic Signature-------------------------------------------------------------------- IETF IPv6 working group mailing list [EMAIL PROTECTED] Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
