On Wed, Dec 5, 2018 at 12:15 AM Mark Andrews <[email protected]> wrote: > > And the correct thing to do is to FIX THE BROKEN PRODUCT. > > If a ssh implementation is broken we don’t drop SSH packets. We fix the > broken implementation of ssh. > > If there is a SQL injection problem we fix that problem rather than > dropping HTTP > and HTTPS packets. > > If a router can’t handle all legal packets at line rate the router needs > to fixed. > > Punting stuff to be processed by the same CPU that process the routing > table worked > for a while. There is no rule that says routers can’t have multiple CPUs > some of > which are dedicated to handling the control plane and other that deal with > everything > else that has been punted. Design the router so that the control plane > doesn’t get > overloaded and the exceptional packet get handled. > > Generating PTB’s shouldn’t be seen as exceptional. Fragmented packets > shouldn’t be > seen as exceptional. >
Even if agree that is the way routers SHOULD be designed today. I'm not aware of any that are designed that way. Further, even if all new router shipped from today on were designed that way, which they are not. It would easily take a decade or more for all the old legacy routers to fade away on the Internet. Those are facts we have to work with. -- =============================================== David Farmer Email:[email protected] Networking & Telecommunication Services Office of Information Technology University of Minnesota 2218 University Ave SE Phone: 612-626-0815 Minneapolis, MN 55414-3029 Cell: 612-812-9952 ===============================================
_______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
