| draft-ietf-ippm-6man-pdm-option-04.txt | draft-ietf-ippm-6man-pdm-option-05.txt | |||
|---|---|---|---|---|
| INTERNET-DRAFT N. Elkins | INTERNET-DRAFT N. Elkins | |||
| Inside Products | Inside Products | |||
| R. Hamilton | R. Hamilton | |||
| Chemical Abstracts Service | Chemical Abstracts Service | |||
| M. Ackermann | M. Ackermann | |||
| Intended Status: Proposed Standard BCBS Michigan | Intended Status: Proposed Standard BCBS Michigan | |||
| Expires: March 17, 2017 September 13, 2016 | Expires: March 18, 2017 September 14, 2016 | |||
| IPv6 Performance and Diagnostic Metrics (PDM) Destination Option | IPv6 Performance and Diagnostic Metrics (PDM) Destination Option | |||
| draft-ietf-ippm-6man-pdm-option-04 | draft-ietf-ippm-6man-pdm-option-05 | |||
| Abstract | Abstract | |||
| To assess performance problems, measurements based on optional | To assess performance problems, measurements based on optional | |||
| sequence numbers and timing may be embedded in each packet. Such | sequence numbers and timing may be embedded in each packet. Such | |||
| measurements may be interpreted in real-time or after the fact. An | measurements may be interpreted in real-time or after the fact. An | |||
| implementation of the existing IPv6 Destination Options extension | implementation of the existing IPv6 Destination Options extension | |||
| header, the Performance and Diagnostic Metrics (PDM) Destination | header, the Performance and Diagnostic Metrics (PDM) Destination | |||
| Options extension header as well as the field limits, calculations, | Options extension header as well as the field limits, calculations, | |||
| and usage of the PDM in measurement are included in this document. | and usage of the PDM in measurement are included in this document. | |||
| skipping to change at page 26, line 36 ¶ | skipping to change at page 26, line 36 ¶ | |||
| A "SYN flood" type of attack succeeds because a TCP SYN packet is | A "SYN flood" type of attack succeeds because a TCP SYN packet is | |||
| small but it causes the end host to start creating a place holder for | small but it causes the end host to start creating a place holder for | |||
| the session such that quite a bit of control block and other storage | the session such that quite a bit of control block and other storage | |||
| is used. This is an asynchronous type of attack in that a small | is used. This is an asynchronous type of attack in that a small | |||
| amount of work by the attacker creates a large amount of work by the | amount of work by the attacker creates a large amount of work by the | |||
| resource attacked. | resource attacked. | |||
| For PDM, the amount of data to be kept is quite small. That is, the | For PDM, the amount of data to be kept is quite small. That is, the | |||
| control block is quite lightweight. Concerns about SYN Flood and | control block is quite lightweight. Concerns about SYN Flood and | |||
| other type of resource consumption attacks (memory, processing power, | other type of resource consumption attacks (memory, processing power, | |||
| etc) can be alleviated by having a limit on the size of the control | etc) can be alleviated by having a limit on the number of control | |||
| block. | block entries. | |||
| We recommend that implementation of PDM SHOULD have a limit on the | We recommend that implementation of PDM SHOULD have a limit on the | |||
| size of the control blocks used. | number of control block entries. | |||
| 8.2 Pervasive monitoring | 8.2 Pervasive monitoring | |||
| Since PDM passes in the clear, a concern arises as to whether the | Since PDM passes in the clear, a concern arises as to whether the | |||
| data can be used to fingerprint the system or somehow obtain | data can be used to fingerprint the system or somehow obtain | |||
| information about the contents of the payload. | information about the contents of the payload. | |||
| Let us discuss fingerprinting of the end host first. It is possible | Let us discuss fingerprinting of the end host first. It is possible | |||
| that seeing the pattern of deltas or the absolute values could give | that seeing the pattern of deltas or the absolute values could give | |||
| some information as to the speed of the end host - that is, if it is | some information as to the speed of the end host - that is, if it is | |||
| End of changes. 4 change blocks. | ||||
| 5 lines changed or deleted | 5 lines changed or added | |||
This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||