[92539] in North American Network Operators' Group
Re: icmp rpf
daemon@ATHENA.MIT.EDU (Adrian Chadd)
Mon Sep 25 09:23:42 2006
Date: Mon, 25 Sep 2006 21:23:06 +0800
From: Adrian Chadd <adrian@creative.net.au>
To: nanog@merit.edu
In-Reply-To: <BB6AC07F-1733-4AB8-AAFF-12E0FCBF8C0E@ian.co.uk>
Errors-To: owner-nanog@merit.edu
On Mon, Sep 25, 2006, Ian Mason wrote:
> Filtering ICMP is always dangerous. If you are going to do it you
> *must* understand the consequences both to yourself and to others,
> and also understand the consequences in both normal situations and
> all possible failure modes. (If I had a penny for every broken PMTU
> detection I'd seen because of someone's over eager filtering of ICMP...)
Is there a BCP for "handling ICMP?"
I'm walking the Cisco certification path and they're quite vocal about
ICMP rate limiting over any kind of filtering on routers/switches.
I haven't read their firewall documentation so I'm not sure what they're
preaching for PIX/ASA.
(Yup, if I had a penny for every PMTU fix-by-unbreaking-ICMP-filtering
I've repaired over the last 10 years..)
Adrian
