ICMPv6
Rate Limiting
ICMPv6 rate limiting is a throttling mechanism to prevent
flooding and DDoS attempts. The implementation employs an error
packet rate and a token bucket, which work together to enable throttling
and ensure that ICMP packets don’t flood the network segments protected
by the firewall.
First the global ICMPv6 Error Packet Rate (per sec) controls
the rate at which ICMPv6 error packets are allowed through the firewall; the
default is 100 packets per second; the range is 10 to 65535 packets
per second. If the firewall reaches the ICMPv6 error packet rate,
then the token bucket comes into play and throttling occurs, as
follows.
The concept of a logical token bucket controls the rate at which
ICMP messages can be transmitted. The number of tokens in the bucket
is configurable, and each token represents an ICMPv6 message that
can be sent. The token count is decremented each time an ICMPv6
message is sent; when the bucket reaches zero tokens, no more ICMPv6
messages can be sent until another token is added to the bucket.
The default size of the token bucket is 100 tokens (packets); the
range is 10 to 65535 tokens.