[c-nsp] Per packet load balancing with low latency

Tony Varriale tvarriale at comcast.net
Fri Jan 16 12:31:19 EST 2009


If you make a policy to only turn it off in certain locations, I could 
certainly see how it would potentially cause issues.  MLPPP or not...

Saying you don't need PMTU discovery is not really a good policy to have at 
a high level regardless of internal or external.  But, it's your network you 
can run it as you wish.

I would hope that you would not recommend doing that to others though as it 
may cause others problems...especially if they don't understand the 
ramifications.

tv
----- Original Message ----- 
From: "Michael Malitsky" <malitsky at netabn.com>
To: <cisco-nsp at puck.nether.net>
Sent: Thursday, January 15, 2009 5:24 PM
Subject: Re: [c-nsp] Per packet load balancing with low latency


> PMTUD is certainly not the panacea it's made out to be.  It doesn't work
> more often than not (yes, due to some device in the path not supporting
> it).  Given the questionable usefulness, I still support it on
> Internet-facing links.  However, private infrastructure, where MLPPP is
> frequently used, is far more deterministic and usually does not require
> PMTUD.  BCP says if you don't need it, turn it off.  Besides,
> considering that MLPPP is often a low-budget solution (as opposed to a
> larger link), so procuring additional security product may not be in the
> cards either (even if technologically possible).
>
> The above is my experience.
>
> Sincerely,
> Michael Malitsky
>
>
>> Date: Thu, 15 Jan 2009 14:10:48 -0600
>> From: "Tony Varriale" <tvarriale at comcast.net>
>> Subject: Re: [c-nsp] Per packet load balancing with low latency
>> To: <cisco-nsp at puck.nether.net>
>> Message-ID: <77D9873D48BA45DDAB65A10B747106D9 at flamdt01>
>> Content-Type: text/plain; format=flowed; charset="iso-8859-1";
>> reply-type=original
>>
>> Unfortuantely, not everything Cisco recommends translates well into
>> real world implementations.
>>
>> Feel free to read RFC 1191.  That should explain everything.  BCP says
>> don't turn off for this reason.
>>
>> As for the security aspect, there have been a few vulnerabilities that
>> were not really exploited and then fixed.  The pros of leaving this on
> far
>> out way any potential, never really attacked, security issue.
>>
>> And, if you do get seriously attacked by this method somehow, there
> are
>> products on the market that can effectively mitigate it (as well as
>> many others).
>>
>> tv
>>
>> ----- Original Message -----
>> From: "Michael Malitsky" <malitsky at netabn.com>
>> To: <cisco-nsp at puck.nether.net>
>> Sent: Thursday, January 15, 2009 1:42 PM
>> Subject: Re: [c-nsp] Per packet load balancing with low latency
>>
>>
>> > Tony,
>> >
>> > I'll agree with the comments on uRPF and queuing - you should know
>> > why you want these changes before making them.
>> >
>> > However, disabling IP Unreachables is now one of the baseline
>> > measures for infrastructure protection, and recommended as such by
> Cisco.
>> > I'll agree in advance that there may be situations where IP
> unreachables
>> > are desired, or situations where infrastructure protection is not
>> > important, but by and large disabling it seems to be a good step.
> If you
>> > disagree, I'd appreciate an explanation.
>> >
>> > Sincerely,
>> > Michael Malitsky
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 



More information about the cisco-nsp mailing list