[ratelimits] Remarks regarding the Knot DNS 1.2.0 RRL implementation
Matthijs Mekking
matthijs at nlnetlabs.nl
Tue Mar 5 12:48:35 UTC 2013
On 03/05/2013 12:11 PM, Paul Vixie wrote:
>
>
> Matthijs Mekking wrote:
>> I think we are implementing the same idea right now. I disagree just
>> because we don't use bucket chains, we don't implement rrl.
>
> if you are sharing a set of counters between several tuples, you'll be
> dropping responses that aren't above-threshold. note that it makes no
> difference whether you're using hash tables or some other kind of data
> structure to select a bucket; sharing a bucket is the problem.
But that is not what we are doing. If there is a collision, we reset the
counter, we don't group them together.
>>
>> We have implemented randomized seed so that collisions are not
>> predictable.
>
> i heard that and i'm glad that you can't be induced by an attacker to
> increment a chosen bucket. but that's not the problem.
>
>> Current implementation does not see many collisions occur.
>
> unless you have tested with the real workload of several large authority
> servers then your collision measurements are not dispositive.
>
>> If we would see more collisions, we could implement bucket chains or
>> some other collision avoid mechanism in NSD.
>
> how will you know?
I hope our users will give us that feedback (we ourselves are a user
too). If collisions occur, they should see frequent unblock/block log
messages, and an increase in outbound traffic because of the flapping.
Best regards,
Matthijs
>
> paul
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 553 bytes
Desc: OpenPGP digital signature
URL: <http://lists.redbarn.org/pipermail/ratelimits/attachments/20130305/bb22e98e/attachment.pgp>
More information about the ratelimits
mailing list