People are praising the transparency of this report, but I am not sure I agree because of this point. when I read the report, I had to stop to think when I read the part about packet size to conclude that they had to be talking about an IPv6 packet using the hop-by-hop extension for fragmented packets. That is a special case, because you don't actually know the length of the packet until you receive the last fragment.
As a consequence, fragmented ipv6 packets are error for use in DoS attacks. This is not a "weird" occurrence, but rather an expected one, and since end points are not required to accept such huge packets, I am surprised Cloud flare want already doing all it could to advertise to upstream sources that IPv6 fragments longer than a much smaller than 90K should be dropped, at least if rooted to their DNS. I am also surprised that when their software came up with that kind of a response without first validating that it wouldn't cause the exact memory problem it did. Rules on v6 fragmented packets that can't match on a single fragment are inherently dangerous. It is only reasonable to have safe guards already in place for them.
I am also not sure this is really a bug in Juniper software. I imagine the memory problem only shows up with high traffic and in the midst of a DoS attack. That is kind of a given when you put a rule like that in that kind of a situation.
Yes but they were still seeing packets bigger than the MTU of Ethernet (or Sonet or whatever other layer 1/2 tech they're connected to the rest of the net with). It doesn't matter what higher level protocols can handle.
which is precisely why it seems like lunacy to roll out such an asinine firewall rule to every router. if there was ever a time to "spot check" a change, this was it.
they didn't. and they paid the price. good on 'em for the quick and honest post-mortem. regardless, it was a dumb move.
Perhaps then you aren't aware that IPv6 stacks can reach IPv4 addresses, nor that IPv6 packets are a popular way to compromise systems that support both IPv6 and IPv4, because the IPv6 stacks are not as well hardened.
Anytime someone starts carrying a gun around and acting like a cop while being trained and uniformed as a cop, there's going to be problems, if you film them.
I don't see why they use civilians to look and screen videos. Hope they have a watchmen for watchmen and informed officers who know about taping police on work.
So you would need to write your own Foreign Data Wrapper and implement some mechanic to tell it if the SQL code is meant for first or the second interpreter?
Like: SELECT * FROM redis_db0 USING_REDIS limit 5;
And Postgres would just pass that"USING_REDIS limit 5" through to Redis? Then Postgres would pass that table or array? back to caller.
Wait, wouldn't this also need modification for DB engine itself?
Today was my first real usage of PostGres (moving one of our assetdb from sqlite to it, and although the update of the db is 5 time slower - well I haven't really done well there, the query later (which is more important) is from 1.5sec to 300msec on one recent example - about 100,000 assets for a video game).
I've also looked briefly about fdw, as a coworker of mine is trying out mongodb for our level editor... Looked at all implementation and read the every fdw code there (except oracle - as it seems most complex, but for good I guess - it checks the pgsql's AST (is that how it's called?) more deeply).
Then let us welcome you with some pedantry! Postgres or PostgreSQL, but never PostGres or--FSM forbid--PostGreSQL.
More seriously,
> fdw looks easy to start, but probably hard to master it.
Yep, like a number of Postgres features, such as user-defined types and user-defined aggregates. It's a great system, and not nearly as stuffy or hard to use as you may have heard.
A recent proof that Supercell founders know how to execute is that they changed their focus from Facebook games to iPad and have released two successful and polished iPad games in a short period of time. Both Clash of Clans and Hayday are hitting top grossing lists. And they have a third polished title, Battle Buddies, coming out soon.
Nope. Don't be afraid to release broken. As full quote goes: "Release early. Release often. And listen to your customers".
Trying to perfect a product by your self is hard and other people always find a genuine way to broke it. I believe that it is more important to be first out, first with samples and first with some kind of a product to sell that improves with time.
> An optional feature of IPv6, the jumbo payload option, allows the exchange of packets with payloads of up to one byte less than 4 GiB