In our new data center builds we're transitioning from MMF to SMF for
the tie cabling between networking gear in the MDF/IDF racks to the
server racks. Today those interconnects are short (under 100 meters)
10GE and 40GE-LX4 over MMF. We’re transitioning to SMF to support
services beyond that,
On Mon, Aug 19, 2019, 9:24 PM Florian Brandstetter
wrote:
> Load balancing is done on Layer 4 or Layer 3 when routing, so your
> ingress connection will have the same hash as the outgoing connection
> (unless the source port of the connection changes on the ACK - which it
> really should not).
On Mon, Aug 19, 2019, 9:27 PM Valdis Klētnieks
wrote:
> On Mon, 19 Aug 2019 21:18:49 +0300, Töma Gavrichenkov said:
>
> > If you're doing load balancing for *outgoing* traffic — and in exactly
> the
> > same manner as you do with incoming — then maybe.
>
> On the other hand, your servers should
On Mon, 19 Aug 2019 21:18:49 +0300, T�ma Gavrichenkov said:
> If you're doing load balancing for *outgoing* traffic — and in exactly the
> same manner as you do with incoming — then maybe.
On the other hand, your servers should probably be doing non-loadbalanced
outbound on a different IP
On Mon, Aug 19, 2019, 8:57 PM Valdis Klētnieks
wrote:
> On Mon, 19 Aug 2019 20:44:47 +0300, Töma Gavrichenkov said:
>
> > Not in a typical DC/ISP environment! With the solution you propose, a
> > perfect routing symmetry is a hard requirement, b/c you need to make
> > sure a returning SYN/ACK
On Mon, 19 Aug 2019 20:44:47 +0300, T�ma Gavrichenkov said:
> Not in a typical DC/ISP environment! With the solution you propose, a
> perfect routing symmetry is a hard requirement, b/c you need to make
> sure a returning SYN/ACK hits the very same machine as the initial
> SYN.
If your load
On Mon, Aug 19, 2019 at 8:12 PM Damian Menscher wrote:
> A factor of 2 is "rounding error" and we probably shouldn't
> waste our time on it (eg, by designing solutions to reduce
> amplification factors) when we could instead be targeting
> the sources of spoofed traffic.
Ah, fine. Spoofing is
On Mon, Aug 19, 2019 at 4:15 AM Töma Gavrichenkov wrote:
> Dealing with TCP flags is a different story:
>
I agree these attacks can be large: the one under discussion probably
exceeded 10Mpps (Gbps is the wrong metric for small-packet attacks)
I agree they can cause significant outages: this
Peace,
On Mon, Aug 19, 2019 at 7:39 AM Damian Menscher via NANOG
wrote:
> Most kernels will return 3-5 SYN-ACK packets for an incoming
> SYN, so it's not particularly interesting for attackers or defenders.
Well, producing 1000 Gbps as opposed to 200 Gbps is still pretty
impressive, isn't it?
Peace,
On Sun, Aug 18, 2019 at 6:48 PM Mike wrote:
> [..] I do have an idea
> that may be potentially a good mitigation strategy and for the exact
> reason stated above; low load to individual end points may still, in
> aggregate, overwhelm an IX or provider, so cutting off the SYN-ACK
> traffic
10 matches
Mail list logo
