Steven M. Bellovin wrote:
Personally, I see a big difference between rate-shaping and sending RSTs. (I suppose you could view RSTs as allocating 0 bps, but that's not a helpful distinction.)
I see a big difference as well. With rate-shaping they would need to have the P2P identification widget in-line with the data path to be able to classify and mark traffic so that it can be queued/throttled appropriately. This means that overall network availability would now be tied to a device that isn't really a proven piece of network hardware. To send TCP resets, on the other hand, all that is needed is a span session to the inspection probe to let it determine which connections to shutdown and issue the resets completely out of band. If the inspection probe kacks, everything on the network continues to function and only the P2P throttling functionality would be impacted. As a network engineer focused on availability, I have a very clear preference in implementation. -Eric