Comment 3 for bug 1155566

Difficult to say which way to go other than the rather obvious 'do both'.

Large scale deployments will no doubt have the ability to rate limit at their border LB's smaller setups may need a middleware solution but they're less likely to have an attacker profile that would necessitate this in the first place.

My understanding was that from an architectural point of view the desire was to avoid putting extra security controls into OpenStack, instead looking for other compensating controls to be put in place. I'm reasonably happy either way, just wondering if this signifies a shift in policy.

My feeling is that Folsom users may be looking for this to be backported. That said the OSSG are happy to write up a few compensating controls (configure nginx/apache this way, setup your LB for X etc) and can reference a backported patch if one exists.