[AusNOG] icmp best practise
Mark Andrews
marka at isc.org
Tue Nov 24 09:29:10 EST 2015
In message <CABsiCiCRr4=nNx2Zt3SEuEwuGPwC+sSCw_E4bVA=TH4a-M6tHA at mail.gmail.com>
, Jeremy Visser writes:
> On Mon, Nov 23, 2015 at 2:15 PM, David Hughes <david at hughes.com.au> wrote:
> > Team Cymru could be a good first point of reference.
> > https://www.cymru.com/Documents/icmp-messages.html
>
> Ouch. That page doesn't suggest allowing ICMP "Packet Too Big" which
> is a recipe for tarpitting TCP should you use IPv6 on a <1500 MTU
> network and don't hack your TCP MSS.
Yes it does.
ICMP_UNREACH 3 4 /* ICMP_UNREACH_NEEDFRAG - Used by Path */
/* MTU to determine the optimal MTU setting. */
access-list 2001 remark Permit Path MTU to function.
access-list 2001 permit icmp any any packet-too-big
Most of the issues with ICMP came from letting through directed
broadcast rather than anything else. Unfortunately at the time the
quickest fix was to block all ICMP.
The rest of the unreachable are important to if you want your
applications to fail over to different servers.
The most important thing is to set the correct rate limits for
generating icmp messages. To small and you stop the network
working. To big and you can deny cpu resourses to other functions.
Mark
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the AusNOG
mailing list