Congratulations to Germany, Netherlands and Portugal ;-)

Daniel Roesen dr at cluenet.de
Mon Dec 17 13:35:31 CET 2012


On Mon, Dec 17, 2012 at 10:57:42AM +0000, Benedikt Stockebrand wrote:
> I really wonder how ISPs are intending to deal with malicious
> denial-of-service and/or customers starting e.g. BitTorrent clients
> that need 750 connections each (number according to Alain
> Fiocco/Cisco, at the German IPv6 Summit two weeks ago).
> 
> But then, basically the same issue applies to CGN in general.

Whatever "CGN" is. NAT with lots of bugs for getting the fixed you have
to pay huge amounts of money for support contracts (that's what usually
is advertised as "carrier grade")? :-)

But yes, that's a general large scale NAT consideration, and every
implementation I have seen has configurable limits in place to deal with
that.

Dealing with DDoS from "inside" (infected customer devices specifically
targetting NATs) is indeed where the fun starts. Finding a mitigation
strategy with least possible colateral damage to non-malicious clients
that is able to really scale is non-trivial. Protocol design properties
like DS-Lite tunnel fragmentation doesn't help either.


Best regards,
Daniel

-- 
CLUE-RIPE -- Jabber: dr at cluenet.de -- dr at IRCnet -- PGP: 0xA85C8AA0


More information about the ipv6-ops mailing list