On Fri, Mar 8, 2019 at 5:11 PM Saku Ytti <saku@ytti.fi> wrote:
Personally I'm surprised if ICMP volume is relevant based on our netflow data.
Legitimate ICMP traffic volume — oh, that's for sure. But when it comes to attack volumes, it's a different story, and current netflow measurements might be a bad indicator here, as in "peacetime generals are always fighting the last war instead of the next one".
You are proposing that in this case, there is no such issue of delivering ICMPv6 messages to correct host
Guaranteed delivery of untrusted remote messages to exactly the particular host behind an equal cost fanout, if allowed in a DDoS mitigation network, is itself a problem, but that has been discussed in detail in the Section 6 of RFC 6437. My point is that it might be hard to find an affordable device that implements ECMP with v6 flow labels without a considerable performance impact. I would personally happy to see what others have tested in that regard. -- Töma