[c-nsp] Under attack, need help with ACL....
Pekka Savola
pekkas at netcore.fi
Fri Nov 5 09:38:31 EST 2004
On Fri, 5 Nov 2004, Rodney Dunn wrote:
> Not here to argue...too much real work to do. :)
>
> But I don't see how a token bucket is any different.
> Feel free to educate me.
>
> A token bucket that allows a burst is a rate limiter
> because it has a maximum it can hold. I'm sure there
> are different ways to look at it but you either drop
> packets at some point or you don't.
>
> With a token bucket you can tune the bucket depth.
>
> Same as with a rate limiter, you can tune it.
>
> Seems there would always be a ceiling in either
> implementation.
>
> Or don't I understand what you mean by token bucket?
Let's take an example: a router might typically generate 1 ICMP time
exceeded message per 10 seconds, but there are cases when multiple
ones might occur in a quick succession, e.g., paced 1 ms apart from
each other.
To be able to configure a rate-limit with just a frequency such that
IOS has, one would have to configure the rate-limit interval to 1ms or
disable it completely. (Which would both be bad from the load
perspective.)
For a token bucket rate-limiter, it is sufficient to use the defaults,
which might allow (on average) 2 ICMPs/second, but also allow e.g. 10,
50 or 100 messages to be generated in burst.
Rate-limiters which only deal with strict frequency cannot deal with
bursts, and are not good. Rate-limiter w/ token bucket allows
reasonable amount of bursting (may be configurable) while still
limiting the long-term average to a reasonable amount (e.g., long term
DoS effects).
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
More information about the cisco-nsp
mailing list