Re: Efficient public peer access control *without ACLs*

From: Bill Wichers <billw@dont-contact.us>
Date: Thu, 16 Oct 1997 19:06:31 -0400 (EDT)

On Wed, 15 Oct 1997, Dave Zarzycki wrote:

> I had an idea and I'm looking for comments and criticism.
> ---------
>
> I'm getting really frustrated with some people who are abusing the cache
> registration service (tracker.nlanr.net). It tells you to ask the cache
> administrator for permission and access, but alas, some bozos try to use
> my cache (and probably others) without asking.

Agreed 110%!

> If we could implement a special feature that would add ICP clients to the
> netdb, then we could selective not respond to ICP requests if the client
> is to too far away. We might even send a UDP_TOOFAR response back to say
> why we're denying the remote clients and that the remote cache should
> stop querying the local cache for a given amount of time (UDP_TOOFAR is
> made up and is in no way official). If the remote client continues to
> query, then they will be ignored.
>
> # distant_peer_deny (icmp rtt) (hops)
> # If the ICP client is farther than "x" milliseconds
> # away, or "x" hops, then deny.
> distant_peer_deny 200 10

Sounds like and excellent idea. Perhaps the already existing ICMP pinging
stuff could provide a base for this.

I suggest a modification, though, to allow for instantaneous network
glitches. How about:

# distant_peer_deny (icmp rtt) (hops)
# If the ICP client is farther than "z" hops away,
# or if more than y% of pings to the client exceed
# x milliseconds, then deny.
distant_peer_deny 200 75 10

defaults of 250 milliseconds, 75%, and 10 hops are probably pretty good
defaults. Maybe 15 hops for those connected my Sprintlink or MCI :-)

        -Bill
Received on Thu Oct 16 1997 - 16:14:19 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:37:17 MST