[92923] in North American Network Operators' Group
Re: Refusing Pings on Core Routers??? A new trend?
daemon@ATHENA.MIT.EDU (Eric Spaeth)
Fri Oct 20 00:38:25 2006
Date: Thu, 19 Oct 2006 23:37:31 -0500
From: Eric Spaeth <eric@spaethco.com>
Reply-To: eric@spaethco.com
To: nanog@merit.edu
In-Reply-To: <6bb5f5b10610191914u5b7f8b0cu3e6cec4986e10bcd@mail.gmail.com>
X-SpaethCo-MailScanner-From: eric@spaethco.com
Errors-To: owner-nanog@merit.edu
Rubens Kuhl Jr. wrote:
> If I recall well, Cisco GSRs impose low priority and/or limits for all
> ICMP traffic flowing thru the box, not just packets to/from router
> itself, and there's not a knob to adjust that.
There'd be no reason to limit ICMP globally -- for traffic through a
router it's all IP; it doesn't really matter what the sub-protocol it
is. The forwarding process on the router is the same for all IP
traffic, the simple breakdown being:
1) Take the source and destination IP and hash them to get an index value
2) Look up the destination prefix in the forwarding table (the CEF table
on Cisco hardware)
3) Match the hashed index value in the CEF table with an outbound interface
4) Puke the packet out the destination interface.
All of these tasks are easily done in hardware ASICs because they are
just doing simple hashing and bit comparisons. If the destination
prefix is already populated in the CEF table then there is no
CPU/software involved in the process. The hashing is to keep traffic
from source to destination on a single interface to reduce out-of-order
delivery.
To respond to ICMP, however, the packet needs to be routed up to the CPU
to be handled. There the packet must be inspected, and an entirely new
packet must be created to be sent back. While individually these
responses take a negligible amount of CPU time, if you get enough
devices flooding you with ICMP requests it starts to add up. Since
processor time is used for other semi-important tasks like maintaining
BGP peering, it is often prudent to rate-limit ICMP handling by the router.
Overall this is a bigger issue with IOS devices; Juniper has a whole
architecture built into JunOS to protect the CPU so they can often get
by without end-user configuration to limit impact.
-Eric
