[c-nsp] Under attack, need help with ACL....

Pekka Savola pekkas at netcore.fi
Fri Nov 5 09:38:31 EST 2004


On Fri, 5 Nov 2004, Rodney Dunn wrote:
> Not here to argue...too much real work to do. :)
>
> But I don't see how a token bucket is any different.
> Feel free to educate me.
>
> A token bucket that allows a burst is a rate limiter
> because it has a maximum it can hold.  I'm sure there
> are different ways to look at it but you either drop
> packets at some point or you don't.
>
> With a token bucket you can tune the bucket depth.
>
> Same as with a rate limiter, you can tune it.
>
> Seems there would always be a ceiling in either
> implementation.
>
> Or don't I understand what you mean by token bucket?

Let's take an example: a router might typically generate 1 ICMP time 
exceeded message per 10 seconds, but there are cases when multiple 
ones might occur in a quick succession, e.g., paced 1 ms apart from 
each other.

To be able to configure a rate-limit with just a frequency such that 
IOS has, one would have to configure the rate-limit interval to 1ms or 
disable it completely. (Which would both be bad from the load 
perspective.)

For a token bucket rate-limiter, it is sufficient to use the defaults, 
which might allow (on average) 2 ICMPs/second, but also allow e.g. 10, 
50 or 100 messages to be generated in burst.

Rate-limiters which only deal with strict frequency cannot deal with 
bursts, and are not good.  Rate-limiter w/ token bucket allows 
reasonable amount of bursting (may be configurable) while still 
limiting the long-term average to a reasonable amount (e.g., long term 
DoS effects).

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings


More information about the cisco-nsp mailing list