Hey Töma, > NB: Cloudflare is basically busy filtering excessive amounts of spoofed ICMP > packets containing whatever parameters and payload criminals could fit into, > at virtually no cost for a customer. Your list might become somewhat short > then.
I don't know what is the problem is here, but the Cloudflare blog documents one specific problem related to ECMP, where the ICMPv6 messages arrive at wrong host and some solutions they are using to overcome that problem. You are proposing that in this case, there is no such issue of delivering ICMPv6 messages to correct host, but in this case issue is voluntary protection mechanism against too high volume of bad ICMPv6 packets. Is this something you personally are aware of or is this something you suspect might explain the problem? Personally I'm surprised if ICMP volume is relevant based on our netflow data. And I've personally been affected in own deployments with the ECMP problem and have solved it by just sending smaller packets. I understand it to be common problem and it would be good if we'd start asking vendors to fix the problem. The Cloudflare blog entry is 4 years old, if they had started actively pursuing proper fix to the ECMP problem, the fix would be in production right about now. -- ++ytti