[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Re[4]: ILUG on leb.net
On Thu, 5 Nov 1998, Evgeny Stambulchik wrote:
> Doron Shikmoni <doron@isoc.org.il> wrote:
>
> which I evidently don't have. I express here my own feeling towards
> the quality of the IIX services - beingmerely a _user_ of the latters.
Can you please specify what is the problem you experience with IIX, and
exactly where do you encounter a reliability problem ? I am keeping IIX
statistics for almost a year now, and there is NO, and I repeast, NO
problem whatsoever with IIX reliability. The only problem is Netvision,
who hosts a whole lot of domains, and since their 2Mbit Sifranet is so
overloaded, people blame IIX. In fact, I am getting great connectivity to
all ISPs in Israel, be it Internet Zahav, ISDN Net, Actcom, etc etc. I
haven't encountered any IIX problem, except for Bezeqs maintenance windows
of their frame relay network. (the only problem, also Bezeq related, was
when they migrated their frame-relay network to new equipment).
> And from this my very own experience, the reliability of IIX
> connections is not very good - it's not that rarely an .il domain is
> more difficult to reach (from Israel!) than an US site.
And I bet that 99.9999% of those domains are behind Netvision.
As well, I've
> seen not once and not twice traceroutes between two .il domains going
> through US routers - while both sites' ISPs were connected to IIX.
This is not an IIX problem. Usually, the ones to blame are either the
involved parties, or Bezeq.
But _you_ - you definitely have the facts needed to persuade me in the
> good quality of IIX. I'd like to see reliable comparison between
> quality of national network interconnectivity of Israel and XXX (= US
> or any West Europe country). If you can prove that both are more or
> less the same, I agree to beg your (or anyone else's) pardon.
> Otherwise, you may want to talk to network specialists from XXX - they
> probably have the valuable ideas you're looking for.
You can conduct such a research yourself, by reading about CIX, and
others.
>
> This, BTW, I'd like to understand. I've seen statements here and there that
> disabling ICMP completely is a Wrong Thing. But why? (Not on routers, which is
> quite clear, but end-point sites).
>
There is nothing wrong in blocking icmp to remote sites. I don't see the
advantage of blocking icmp on a host that has the same connection
as the router. The scenarios where blocking ICMP for a site is usefull
are, for example:
1). To protect the machine against icmp unreachable attacks (nuke). For
this, you can use the Cisco access-lists and block only the unreach
types.
2). The link used by your host is substantially slower than the link the
router has. For example, if you are on a 128kbit/sec frame-relay link
behind a 10Mbit linked router, it would be advisable to block icmp on
the router if you are ping flooded. But, if you have the same
connection as your router, then if the ping flood can saturate your
10Mbit link, it will also saturate the routers one, resulting in the
same problem.
Of course there are more scenarios, but usually, blocking icmp is used
to protect HOT targets, like Irc servers.
Best regards,
--Ariel
>
> Regards,
>
> Evgeny
>
>
> --
> ____________________________________________________________
> / Evgeny Stambulchik <fnevgeny@plasma-gate.weizmann.ac.il> \
> /Plasma Laboratory, Weizmann Institute of Science, Israel \ \
> |Phone : (972)8-934-3610 == | == FAX : (972)8-934-3491 | |
> |URL : http://plasma-gate.weizmann.ac.il/~fnevgeny/ | |
> |Finger for PGP key >=====================================+ |
> |______________________________________________________________|
>
+---------------------------------------------------------------+
| Ariel Biener |
| e-mail: ariel@post.tau.ac.il Work phone: 03-6406086 |
| fingerprint = 07 D1 E5 3E EF 6D E5 82 0B E9 21 D4 3C 7D 8B BC |
+---------------------------------------------------------------+