[62006] in North American Network Operators' Group
Re: 92 Byte ICMP Blocking Problem
daemon@ATHENA.MIT.EDU (jlewis@lewis.org)
Sat Sep 13 23:18:05 2003
Date: Sat, 13 Sep 2003 23:17:39 -0400 (EDT)
From: jlewis@lewis.org
To: "William Devine, II" <william@smartguys.net>
Cc: Nanog <nanog@nanog.org>
In-Reply-To: <001101c3795d$3df2fd40$6401a8c0@corp.pgtechinc.com>
Errors-To: owner-nanog-outgoing@merit.edu
That's really weird. I've been running with
route-map nachiworm permit 10
match ip address nachilist
match length 92 92
set interface Null0
ip access-list extended nachilist
permit icmp any any echo
permit icmp any any echo-reply
ip policy route-map nachiworm
on transit interfaces and the virtual-templates of all our access servers
that can do it properly (just blocking echo/echo-reply on the older ones
that can't do the policy) and haven't heard about any customer complaints
other than "I can't ping" in the places where we've blocked all
echo/echo-reply. The routers doing this (7200/7500)'s are all running
12.2(1-3)S. Access servers are running mostly 12.1M or 12.2XB code.
On Fri, 12 Sep 2003, William Devine, II wrote:
> I had the exact same problem. As soon as I turned it on, within minutes I
> had customers calling that could no longer FTP into Win2k servers and some
> that couldn't SSH into their Linux servers.
> I've since turned it off as well.
> Are there any other known ways to block this?
>
> ----- Original Message -----
> From: "Chris Adams" <cmadams@hiwaay.net>
> To: "Steven M. Bellovin" <smb@research.att.com>
> Cc: "Nanog" <nanog@nanog.org>
> Sent: Friday, September 12, 2003 1:32 PM
> Subject: Re: 92 Byte ICMP Blocking Problem
>
> > I don't have it in place anymore (because it caused more problems than
> > it fixed), so I can't test this. In any case, the route map only
> > matched 92 byte ICMP echo and ICMP echo-reply packets, which is not what
> > PMTU uses, so it shouldn't have had a problem. Also, I know that the
> > MTU along the path for the person in the office is the same all the way,
> > so PMTU shouldn't come into play there.
----------------------------------------------------------------------
Jon Lewis *jlewis@lewis.org*| I route
System Administrator | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
