North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: icmp rpf
On Sun, Sep 24, 2006 at 02:59:50PM -0700, Mark Kent wrote: > > A smaller North American network provider, with a modest North > American backbone, numbers their internal routers on public IP space > that they do not announce to the world. > > One of the largest North American network providers filters/drops > ICMP messages so that they only pass those with a source IP > address that appears in their routing table. I would hope they're doing it for more than just ICMP packets. There are numerous nefarious uses of the network with unrouted/spoofed addres space. Various hosts have done bad things (in the past) if they get something like a SYN that appears to be from themselves. Protecting ones customers from spoofed address DoS attacks and leaking of unrouted IP space (1918 or otherwise) that isn't globally reachable I would argue should be, or is a current best practice. The "good" packets that are dropped in this scenario are sufficent limited (yes, pmtu and these cases of traceroutes, etc..) but there are also well known solutions and workarounds to this as well. It's still hard to get people to fix their "deny all icmp" policies that some companies have that create troubles for others. I've had issues accessing my own bank website in the past due to p-mtu issues. These aren't places that are easily approachable to resolve the problem in most cases. > As a result, traceroutes from big.net into small.net have numerous > hops that time out. Others have pointed out how this can be resolved by by using different techniques and still protect the infrastructure. It may be of value for small.net to look at it and see what applies to them. > Traceroutes from elsewhere that go into small.net but return on > big.net also have numerous hops that time out. > > We do all still think that traceroute is important, don't we? I agree traceroute is important and valuable. It's one of the things I have asked people to send me in the past for debugging, but isn't the sole source of debugging available. Other techniques can be applied. Did big.net just turn this on, or has it been on for months/years now? - jared -- Jared Mauch | pgp key available via finger from [email protected] clue++; | http://puck.nether.net/~jared/ My statements are only mine.