North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: icmp rpf

  • From: Jared Mauch
  • Date: Mon Sep 25 09:38:37 2006

On Sun, Sep 24, 2006 at 02:59:50PM -0700, Mark Kent wrote:
> A smaller North American network provider, with a modest North
> American backbone, numbers their internal routers on public IP space
> that they do not announce to the world.
> One of the largest North American network providers filters/drops
> ICMP messages so that they only pass those with a source IP
> address that appears in their routing table.

	I would hope they're doing it for more than just ICMP packets.
There are numerous nefarious uses of the network with unrouted/spoofed
addres space.  Various hosts have done bad things (in the past)
if they get something like a SYN that appears to be from themselves.
Protecting ones customers from spoofed address DoS attacks and leaking
of unrouted IP space (1918 or otherwise) that isn't globally reachable
I would argue should be, or is a current best practice.

	The "good" packets that are dropped in this scenario are
sufficent limited (yes, pmtu and these cases of traceroutes, etc..)
but there are also well known solutions and workarounds to this as well.
It's still hard to get people to fix their "deny all icmp" policies that
some companies have that create troubles for others.  I've had issues
accessing my own bank website in the past due to p-mtu issues.  These
aren't places that are easily approachable to resolve the problem in
most cases.

> As a result, traceroutes from into have numerous
> hops that time out.

	Others have pointed out how this can be resolved by by
using different techniques and still protect the infrastructure.  It
may be of value for to look at it and see what applies
to them.

> Traceroutes from elsewhere that go into but return on
> also have numerous hops that time out.
> We do all still think that traceroute is important, don't we?

	I agree traceroute is important and valuable.  It's one
of the things I have asked people to send me in the past for debugging,
but isn't the sole source of debugging available.  Other techniques
can be applied.

	Did just turn this on, or has it been on for months/years

	- jared

Jared Mauch  | pgp key available via finger from [email protected]
clue++;      |  My statements are only mine.