On 2018-11-26 09:53, Gert Doering wrote:
> Hi,
>
> ...
> As people have explained in great detail, there's work that the routers
> are built to do, where the number of packets they can handle is nearly
> arbitrarily high.
>
> Then there's packets that are seen as an exception, and handled in a
> not-as-powerful path. Back then, when the Internet was new, these
> exceptional packets were considered "something we'll handle when the
> need arises", and it mostly worked.
Translation - "we cheated", and that's not working anymore. Agreed.
> Today, whenever anything is connected
> to the real Internet has a weakness, it will be abused. Thus, these
> packets will have to be rate-limited, up to the point of uselessness.
Rate limiting is quite different from 100% discards. When abuse happens,
it's clearly safe to react.
But reacting to the mere presence of this additional - unexpected - work
is not itself abuse. And frankly it's only abuse because vendors claim
IPv6 compliance by cheating and operators go along with the game.
> Of course you can build a box that can do everything with the same
> speed. I would recommend to the reader to make himself familiar with
> current market realities, though, regarding "cost", "power consumption",
> "feasibility to build in time before the increase in bandwidth has them
> obsoleted again" and "willingness of customers to pay serious money for
> their Internet access".
If you sold this as "partial IPv6" or "incomplete support for RFC8200",
then sure.
If most of the time these options are not used, then fine - rate limit
when they come up. But say that's what you're doing.
And don't pretend that this is for security purposes.
Joe
_______________________________________________
OPSEC mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/opsec
