North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: icmp rpf

  • From: Adrian Chadd
  • Date: Mon Sep 25 09:24:51 2006

On Mon, Sep 25, 2006, Ian Mason wrote:

> Filtering ICMP is always dangerous. If you are going to do it you  
> *must* understand the consequences both to yourself and to others,  
> and also understand the consequences in both normal situations and  
> all possible failure modes. (If I had a penny for every broken PMTU  
> detection I'd seen because of someone's over eager filtering of ICMP...)

Is there a BCP for "handling ICMP?"

I'm walking the Cisco certification path and they're quite vocal about
ICMP rate limiting over any kind of filtering on routers/switches.
I haven't read their firewall documentation so I'm not sure what they're
preaching for PIX/ASA.

(Yup, if I had a penny for every PMTU fix-by-unbreaking-ICMP-filtering
I've repaired over the last 10 years..)