Aaron Falk wrote:
I think one can make the case that having border protection may
prevent a DOS attack from consuming interior network resources and
allowing interior hosts to communicate amongst themselves.
And if your interior network resources are less than 10x your external
resource, you have an unusual network indeed. Yes it may be more
convenient to have the border deal with DOS, but is it *required* as
recently had some fierce DOS attacks on our ISP but I'm still able to
run NFS without a problem. This is a good thing.
NFS & 'good thing' are a matter of personal opinion. In any case if NFS
has trouble running when it has less than 90% of the interior resource,
one might have to question which set of packets should be defined as the