icmp rpf

Jared Mauch jared at puck.nether.net
Mon Sep 25 13:34:10 UTC 2006

On Sun, Sep 24, 2006 at 02:59:50PM -0700, Mark Kent wrote:
> A smaller North American network provider, with a modest North
> American backbone, numbers their internal routers on public IP space
> that they do not announce to the world.
> One of the largest North American network providers filters/drops
> ICMP messages so that they only pass those with a source IP
> address that appears in their routing table.

	I would hope they're doing it for more than just ICMP packets.
There are numerous nefarious uses of the network with unrouted/spoofed
addres space.  Various hosts have done bad things (in the past)
if they get something like a SYN that appears to be from themselves.
Protecting ones customers from spoofed address DoS attacks and leaking
of unrouted IP space (1918 or otherwise) that isn't globally reachable
I would argue should be, or is a current best practice.

	The "good" packets that are dropped in this scenario are
sufficent limited (yes, pmtu and these cases of traceroutes, etc..)
but there are also well known solutions and workarounds to this as well.
It's still hard to get people to fix their "deny all icmp" policies that
some companies have that create troubles for others.  I've had issues
accessing my own bank website in the past due to p-mtu issues.  These
aren't places that are easily approachable to resolve the problem in
most cases.

> As a result, traceroutes from big.net into small.net have numerous
> hops that time out.

	Others have pointed out how this can be resolved by by
using different techniques and still protect the infrastructure.  It
may be of value for small.net to look at it and see what applies
to them.

> Traceroutes from elsewhere that go into small.net but return on
> big.net also have numerous hops that time out.
> We do all still think that traceroute is important, don't we?

	I agree traceroute is important and valuable.  It's one
of the things I have asked people to send me in the past for debugging,
but isn't the sole source of debugging available.  Other techniques
can be applied.

	Did big.net just turn this on, or has it been on for months/years

	- jared

Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.

More information about the NANOG mailing list