[c-nsp] SUP720 - 12.2(18)SXF17

Richard A Steenbergen ras at e-gerbil.net
Sat Oct 10 07:35:57 EDT 2009 

On Fri, Oct 09, 2009 at 09:16:27AM -0400, Jared Mauch wrote:
> I think it's important to note that there are similar limiters in  
> other devices, eg: Juniper m20/m40 that we've encountered over the  
> years.
> 
> This has caused customer confusion as they hit these, even in a fully  
> distributed linecard environment.  The reality is unless it's done in  
> a low-level ASIC, it can easily turn into a security vulnerability.
> 
> Drop 5 gigs of ttl=1 traffic at a device and it will fall over unless  
> there is some protection.  It may not even need to be as high as 5g.
> 
> There are a lot of rate-limiters available, check out 'show mls rate- 
> limit' on your Earl7 (76k, ie: (65|76)00) based device. Set them low  
> to avoid problems.  I find 100/10 works well.

Juniper has some extremely low arbitrary hard-coded limits built in, as
low as 50pps per FPC on M20/M40 type cards. Even on higher end boxes
it's not much better, hardcoded at 250 or 500pps per FPC for 40g/slot
cards.

It only takes a couple of people on the internet running mtr to destroy
those rate-limits and completely break your traceroute, to say nothing
of what happens when you get a TTL expiring DoS or someone creates a
forwarding loop. We routinely bump these limits, nearly 24/7 on some
routers, which only serves to confuse/annoy customers (and other random
people on the Internet who somehow managed to work a phone or email to
complain about what you're doing to their gamer score). I can't even
imagine configuring a 100/10 rate-limiter, it would get destroyed on any
network with any amount of traceroute going through it. At least Cisco
doesn't have those silly hard-coded limits, but on the other hand since
the TTL expiration handling isn't distributed I'm sure it doesn't work
out much better than a 500pps per FPC rate-limiter anyways.

Some days I would pay good money for a traceroute handling ASIC, or at
least some primitives for it in some microcode somewhere, so it isn't at
the mercy of BGP scanner, someone running a complex sh ip bgp on the
cli, or any random kid capable of generating > 500pps.

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)

More information about the cisco-nsp mailing list