North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: 92 Byte ICMP Blocking Problem

  • From: jlewis
  • Date: Sat Sep 13 23:19:29 2003 
That's really weird.  I've been running with 

route-map nachiworm permit 10
 match ip address nachilist
 match length 92 92
 set interface Null0

ip access-list extended nachilist
 permit icmp any any echo
 permit icmp any any echo-reply

ip policy route-map nachiworm

on transit interfaces and the virtual-templates of all our access servers 
that can do it properly (just blocking echo/echo-reply on the older ones 
that can't do the policy) and haven't heard about any customer complaints 
other than "I can't ping" in the places where we've blocked all 
echo/echo-reply.  The routers doing this (7200/7500)'s are all running 
12.2(1-3)S.  Access servers are running mostly 12.1M or 12.2XB code. 

On Fri, 12 Sep 2003, William Devine, II wrote:

> I had the exact same problem.  As soon as I turned it on, within minutes I
> had customers calling that could no longer FTP into Win2k servers and some
> that couldn't SSH into their Linux servers.
> I've since turned it off as well.
> Are there any other known ways to block this?
> 
> ----- Original Message ----- 
> From: "Chris Adams" <[email protected]>
> To: "Steven M. Bellovin" <[email protected]>
> Cc: "Nanog" <[email protected]>
> Sent: Friday, September 12, 2003 1:32 PM
> Subject: Re: 92 Byte ICMP Blocking Problem
> 
> > I don't have it in place anymore (because it caused more problems than
> > it fixed), so I can't test this.  In any case, the route map only
> > matched 92 byte ICMP echo and ICMP echo-reply packets, which is not what
> > PMTU uses, so it shouldn't have had a problem.  Also, I know that the
> > MTU along the path for the person in the office is the same all the way,
> > so PMTU shouldn't come into play there.

----------------------------------------------------------------------
 Jon Lewis *[email protected]*|  I route
 System Administrator        |  therefore you are
 Atlantic Net                |  
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________