[NANOG] Limiting ICMP
Rob Thomas
robt at cymru.com
Wed May 21 21:18:36 UTC 2008
Yep, agreed, we need to update those docs. The basic ICMP filtering
guide still resides here, and comments are welcome:
<http://www.cymru.com/Documents/icmp-messages.html>
John Kristoff wrote:
> On Sat, 17 May 2008 23:53:00 -0400
> Drew Weaver <drew.weaver at thenap.com> wrote:
>
>> I'm wondering if anyone else has run into this/has heard of/(is responsible for)/knows the reason behind large IP providers limiting ICMP on outbound connections to the same amounts regardless of the size of the circuit?
>>
>
> I might be partially responsible for furthering some of that activity.
> I've done this sort of thing on initial ingress facing links (e.g. LAN
> segments with client-oriented systems) and it was me who provided the
> sample configs for the cymru junos template for limiting udp and icmp.
>
> Perhaps I mentioned it on a mailing list or in some internal documentation
> somewhere, but the way I've done it is typically to limit those two IP
> protocols (and sometimes other things like multicast) to some fraction
> of a percent on a edge LAN ingress link speed, which is not in the
> template. Egress, aggregate and peering/Internet facing links shouldn't
> have these limits (yes, kind of a pain to manage if you're not good at
> router config management). Unfortunately I didn't provide all that
> detail to the cymru folks at the time and as I'm sure they are aware
> those templates are quite a bit outdated now and could easily take some
> heavy revisioning.
>
> In the environments where I've done this, my experience was that it was
> an acceptable practice at the time and in a couple cases it did help the
> net upstream when something went wrong (e.g. this did stop some real
> DoS traffic for me more than once). I made use of protocol counters or
> some monitoring tools to ensure they were not unnecessarily dropping
> valid packets. Your mileage may vary of course, as it apparently does?
>
> John
>
--
Rob Thomas
Team Cymru
The WHO and WHY team
http://www.team-cymru.org/
More information about the NANOG
mailing list