nanog mailing list archives

Re: [NANOG] Limiting ICMP

From: Sean Donelan <sean () donelan com>
Date: Fri, 23 May 2008 19:23:57 -0400 (EDT)

On Wed, 21 May 2008, John Kristoff wrote:

In the environments where I've done this, my experience was that it was
an acceptable practice at the time and in a couple cases it did help the
net upstream when something went wrong (e.g. this did stop some real
DoS traffic for me more than once).  I made use of protocol counters or
some monitoring tools to ensure they were not unnecessarily dropping
valid packets.  Your mileage may vary of course, as it apparently does?

Welcome to the wonderful world of deciding on "defaults." Unfortunately,the people most likely to be negatively affected by defaults are alsopeople least likely to know the consequences of those defaults.


Is it better to set defaults conservatively and allow people who want
more to expand them?  Or better to set defaults liberally and allow
people who want less to reduce them?

Current thread:

[NANOG] Limiting ICMP Drew Weaver (May 17)
- Re: [NANOG] Limiting ICMP Kameron Gasso (May 17)
- Re: [NANOG] Limiting ICMP John Kristoff (May 21)
  - Re: [NANOG] Limiting ICMP Rob Thomas (May 21)
  - Re: [NANOG] Limiting ICMP Sean Donelan (May 23)