bad ping responder == bad PR ;-)
And anyway, who is anyone to judge what the system should be used for?
I want a system to respond to ping without limitations; it's good for
debugging, diagnostics, etc. If I want, I can just filter the requests
out, or rate-limit the responses.
However, ICMP error messages cannot be effectively filtered; they may
happen due to TTL=0 when forwarding, legit or illegit UDP connection etc.;
only way to effectively limit them is by rate-limiting. If rate-limiting
with informational and error types are the same, we have an inflexible
situation here.
> Then kernel must be shipped out without rate-limiting enabled by
> default, that's problem.
>
> I guess I missed something. That doesn't seem like a problem to
> me... and if you need to ship with a rate by default, then ship with a
> very-high rate. I've never managed to respond to more than 60,000
> ICMP packets/second, so I suggest 60,001.
Yes you did. 60,000 responses/sec is effectively no protection at all,
and most people would appeaciate protection for the error messages, which
are crucial to the working of TCP/IP; not so with informational ICMP
messages.
And by the way, rate-limiting ICMP error messages is a MUST item for IPv6.
-- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/