On Friday, 24 Oct 2003, Tero wrote: [... snipped quote from Chinna's letter] > > I do not remember where the 20/30 seconds actually came from, but I > remember someone saying that 30 seconds was quite normal (i.e thats > why we use 20 seconds), and as you can see from above Chinna N.R. > Pellacuru says that there has been practical recommended timer of 9 > seconds. Ok, & thanks. I've not come across a NAT with less than a couple of minutes timeout myself, so I suspect this may be very atypical. I don't know if the tradeoffs are different here than in the MIP case, but I know that cellular operators are horrified at the thought of waking up to send packets every 110 seconds. Not that they'd need it if they don't deploy NATs... > > As for the description of the DOS attack, I still think that should be > > explicit. What kind of attack is it? What are the details? Doing "the > > strictest possible checks for UDP packets" how? > > There are dozens of different UDP packet attacks, lots of them are > related to fragments (i.e sending every other fragment, sending 4000 > small fragments, sending packets that go over the 64k limit etc). I do > not think it is practical to list them all here. If they are described in some other RFC, fine, then refer to that. If not, I don't think you should put this mechanism out there without explicitly describing the attacks that this mechanism makes possible, which would not be possible otherwise. Sorry. Henrik
Attachment:
pgp00024.pgp
Description: PGP signature