[c-nsp] Under attack, need help with ACL....

Rodney Dunn rodunn at cisco.com
Fri Nov 5 08:17:57 EST 2004


Not here to argue...too much real work to do. :)

But I don't see how a token bucket is any different.
Feel free to educate me.

A token bucket that allows a burst is a rate limiter
because it has a maximum it can hold.  I'm sure there
are different ways to look at it but you either drop
packets at some point or you don't.

With a token bucket you can tune the bucket depth.

Same as with a rate limiter, you can tune it.

Seems there would always be a ceiling in either
implementation.

Or don't I understand what you mean by token bucket?

On Thu, Nov 04, 2004 at 07:42:38AM +0200, Pekka Savola wrote:
> Hi,
> 
> On Wed, 3 Nov 2004, Rodney Dunn wrote:
> > The rate limiting is per source address from what I remember.
> >
> > There is an enhancement request on the table
> > to provide more notification to users when
> > packets are being rate limited (SNMP, syslog,
> > show command) and to break out the reasons.
> 
> Yeah, but much better would be just implementing a token bucket which 
> would allow small bursts in sending the messages, rather than a strict 
> time-based limiter or disabling it altogether.  That's what modern OSs 
> (like linux, bsd) do.
> 
> >
> > You can turn it off if you want:
> >
> > no ip icmp rate-limit unreachable
> >
> > That's why you see a traceroute that looks like
> > this:
> >
> > Router#tr 1.1.1.2
> >
> > Type escape sequence to abort.
> > Tracing the route to 1.1.1.2
> >
> >  1 1.1.1.2 4 msec *  0 msec
> > Router#!now turn it off on the target router
> > Router#tr 1.1.1.2
> >
> > Type escape sequence to abort.
> > Tracing the route to 1.1.1.2
> >
> >  1 1.1.1.2 4 msec 0 msec 0 msec
> >
> > http://www.cisco.com/en/US/tech/tk364/tk871/technologies_tech_note09186a00801ae32a.shtml
> >
> > Rodney
> >
> >
> > On Wed, Nov 03, 2004 at 07:06:28AM +0200, Pekka Savola wrote:
> >> On Tue, 2 Nov 2004, Rodney Dunn wrote:
> >>> 101_(config)#ip icmp rate-limit unreachable ?
> >>>  <1-4294967295>  Once per milliseconds
> >>>  DF              code 4, fragmentation needed and DF set
> >>>
> >>> default is one per 500 msec.
> >>
> >> That would be really stupid if that was the case (e.g., breaks
> >> traceroutes)  Don't you have some kind of token bucket?
> >>
> >> --
> >> Pekka Savola                 "You each name yourselves king, yet the
> >> Netcore Oy                    kingdom bleeds."
> >> Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> 
> -- 
> Pekka Savola                 "You each name yourselves king, yet the
> Netcore Oy                    kingdom bleeds."
> Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings


More information about the cisco-nsp mailing list