[c-nsp] IOS XR 4.3.4, control-plane policing, and NTP
Andrew Miehs
andrew at 2sheds.de
Sat Aug 2 18:43:55 EDT 2014
Still wont protect against the next buffer overflow in ntpd :(
Sent from a mobile device
> On 3 Aug 2014, at 3:40, Daniel Suchy <danny at danysek.cz> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> LPTS limits (in hardware) ammount of packets from (each) linecard to
> LC/RP CPU - with combination with service ACL you mentioned before can
> be service reasonably protected against misuse.
>
>> On 2.8.2014 18:58, Gert Doering wrote:
>> Hi,
>>
>>> On Sat, Aug 02, 2014 at 06:03:51PM +0200, Daniel Suchy wrote:
>>> Hello, this should help:
>>>
>>> lpts pifib hardware police flow ntp default rate 0
>>>
>>> Configured ntp servers uses "flow ntp known". There're many other
>>> HW ratelimiters.
>>
>> It does "something", but that is not "do not answer", but it slows
>> incoming packets down to about 2pps or so... but that's good
>> enough for now.
>>
>> Funny stuff.
>>
>> gert
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iEYEARECAAYFAlPdIpAACgkQ0m6yQqKjWoJxggCeLZY+Nmtix9vQdbXJyojQtWn2
> jQoAn0yaCHVrWhU+4bC0sseHXCVWQL/3
> =mXdW
> -----END PGP SIGNATURE-----
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list