Added discussion of overload protection mechanisms mainly in
Section 8.4, with supporting text in Section 4.1.1 and
Section 4.3.2 (noting that deciding to bypass signalling can be
done for overload protection reasons).
New overload text in 8.4:
There is a potential overload condition if a node is flooded with
Query or Confirm messages. One option is for the node to bypass
these messages altogether as described in Section 4.3.2, effectively
falling back to being a non-NSIS node. If this is not possible, a
node MAY still choose to limit the rate at which it processes Query
messages and discard the excess, although it SHOULD first adapt its
policy to one of sending Responses statelessly if it is not already
doing so. A conformant GIST node will automatically decrease the
load by retransmitting Queries with an exponential backoff. A non-
conformant node (launching a DoS attack) can generate uncorrelated
Queries at an arbitrary rate, which makes it hard to apply rate-
limiting without also affecting genuine handshake attempts. However,
if Confirm messages are requested, the cookie binds the message to a
Querying node address which has been validated by a return
routability check and rate-limits can be applied per-source.
and on flow control in 4.1.1:
A signalling application is free to choose the rate at which it
processes inbound messages; an implementation MAY allow the
application to block accepting messages from GIST. In these
circumstances, GIST MAY discard unreliably delivered messages, but
for reliable messages MUST propagate flow-control condition back to
the sender. Therefore, applications must be aware that they may in
turn be blocked from sending outbound messages themselves.
|
