|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: icmp rpf
On Mon, Sep 25, 2006, Ian Mason wrote: > Filtering ICMP is always dangerous. If you are going to do it you > *must* understand the consequences both to yourself and to others, > and also understand the consequences in both normal situations and > all possible failure modes. (If I had a penny for every broken PMTU > detection I'd seen because of someone's over eager filtering of ICMP...) Is there a BCP for "handling ICMP?" I'm walking the Cisco certification path and they're quite vocal about ICMP rate limiting over any kind of filtering on routers/switches. I haven't read their firewall documentation so I'm not sure what they're preaching for PIX/ASA. (Yup, if I had a penny for every PMTU fix-by-unbreaking-ICMP-filtering I've repaired over the last 10 years..) Adrian
|