[c-nsp] Per packet load balancing with low latency

Michael Malitsky malitsky at netabn.com
Thu Jan 15 18:24:46 EST 2009 

PMTUD is certainly not the panacea it's made out to be.  It doesn't work
more often than not (yes, due to some device in the path not supporting
it).  Given the questionable usefulness, I still support it on
Internet-facing links.  However, private infrastructure, where MLPPP is
frequently used, is far more deterministic and usually does not require
PMTUD.  BCP says if you don't need it, turn it off.  Besides,
considering that MLPPP is often a low-budget solution (as opposed to a
larger link), so procuring additional security product may not be in the
cards either (even if technologically possible).

The above is my experience.

Sincerely,
Michael Malitsky


> Date: Thu, 15 Jan 2009 14:10:48 -0600
> From: "Tony Varriale" <tvarriale at comcast.net>
> Subject: Re: [c-nsp] Per packet load balancing with low latency
> To: <cisco-nsp at puck.nether.net>
> Message-ID: <77D9873D48BA45DDAB65A10B747106D9 at flamdt01>
> Content-Type: text/plain; format=flowed; charset="iso-8859-1";
> 	reply-type=original
> 
> Unfortuantely, not everything Cisco recommends translates well into
> real world implementations.
> 
> Feel free to read RFC 1191.  That should explain everything.  BCP says
> don't turn off for this reason.
> 
> As for the security aspect, there have been a few vulnerabilities that
> were not really exploited and then fixed.  The pros of leaving this on
far
> out way any potential, never really attacked, security issue.
> 
> And, if you do get seriously attacked by this method somehow, there
are
> products on the market that can effectively mitigate it (as well as
> many others).
> 
> tv
> 
> ----- Original Message -----
> From: "Michael Malitsky" <malitsky at netabn.com>
> To: <cisco-nsp at puck.nether.net>
> Sent: Thursday, January 15, 2009 1:42 PM
> Subject: Re: [c-nsp] Per packet load balancing with low latency
> 
> 
> > Tony,
> >
> > I'll agree with the comments on uRPF and queuing - you should know
> > why you want these changes before making them.
> >
> > However, disabling IP Unreachables is now one of the baseline
> > measures for infrastructure protection, and recommended as such by
Cisco.
> > I'll agree in advance that there may be situations where IP
unreachables
> > are desired, or situations where infrastructure protection is not
> > important, but by and large disabling it seems to be a good step.
If you
> > disagree, I'd appreciate an explanation.
> >
> > Sincerely,
> > Michael Malitsky

More information about the cisco-nsp mailing list