Re: [NANOG] Limiting ICMP

• From: Sean Donelan
• Date: Fri May 23 19:24:06 2008

• List-archive: <http://mailman.nanog.org/pipermail/nanog>
• List-help: <mailto:[email protected]?subject=help>
• List-id: North American Network Operators Group <nanog.nanog.org>
• List-post: <mailto:[email protected]>
• List-subscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>, <mailto:[email protected]?subject=subscribe>
• List-unsubscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>, <mailto:[email protected]?subject=unsubscribe>

In the environments where I've done this, my experience was that it was
an acceptable practice at the time and in a couple cases it did help the
net upstream when something went wrong (e.g. this did stop some real
DoS traffic for me more than once).  I made use of protocol counters or
some monitoring tools to ensure they were not unnecessarily dropping
valid packets.  Your mileage may vary of course, as it apparently does?

Is it better to set defaults conservatively and allow people who want
more to expand them?  Or better to set defaults liberally and allow
people who want less to reduce them?

• References:
  • [NANOG] Limiting ICMP Drew Weaver
  • Re: [NANOG] Limiting ICMP John Kristoff

• Prev by Date: Re: IPv4 Router Alert Option
• Next by Date: amazonaws.com?
• Date Index
• Thread Index
• Author Index
• Historical