nanog mailing list archives
Re: icmp rpf
From: Adrian Chadd <adrian () creative net au>
Date: Mon, 25 Sep 2006 21:23:06 +0800
On Mon, Sep 25, 2006, Ian Mason wrote:
Filtering ICMP is always dangerous. If you are going to do it you *must* understand the consequences both to yourself and to others, and also understand the consequences in both normal situations and all possible failure modes. (If I had a penny for every broken PMTU detection I'd seen because of someone's over eager filtering of ICMP...)
Is there a BCP for "handling ICMP?" I'm walking the Cisco certification path and they're quite vocal about ICMP rate limiting over any kind of filtering on routers/switches. I haven't read their firewall documentation so I'm not sure what they're preaching for PIX/ASA. (Yup, if I had a penny for every PMTU fix-by-unbreaking-ICMP-filtering I've repaired over the last 10 years..) Adrian
Current thread:
- Re: icmp rpf, (continued)
- Re: icmp rpf virendra rode // (Sep 24)
- Re: icmp rpf Mark Smith (Sep 25)
- Re: icmp rpf Mark Kent (Sep 25)
- Re: icmp rpf Chris Adams (Sep 25)
- Re: icmp rpf william(at)elan.net (Sep 25)
- Re: icmp rpf Tony Rall (Sep 26)
- Re: icmp rpf Jared Mauch (Sep 26)
- Re: icmp rpf Bill Stewart (Sep 27)
- Re: icmp rpf Adrian Chadd (Sep 25)
- New router feature - icmp error source-interface [was: icmp rpf] Patrick W. Gilmore (Sep 25)
- Re: New router feature - icmp error source-interface [was: icmp rpf] Joe Maimon (Sep 25)
- Re: New router feature - icmp error source-interface [was: icmp rpf] Mark Smith (Sep 25)
- RE: New router feature - icmp error source-interface [was: icmp rpf] Berkman, Scott (Sep 25)
- Re: New router feature - icmp error source-interface [was: icmp rpf] Patrick W. Gilmore (Sep 25)
- RE: New router feature - icmp error source-interface [was: icmp rpf] David Temkin (Sep 25)
- Re: New router feature - icmp error source-interface [was: icmp rpf] Richard A Steenbergen (Sep 25)