Re: [nsp] ICMP Unreachable and CEF

From: john heasley (heas@shrubbery.net)
Date: Thu Jan 24 2002 - 17:27:27 EST

Next message: Josh Duffek: "Re: [nsp] IOS for AS5300"
Previous message: Scott.Keoseyan@BroadWing.com: "RE: [nsp] 10Mb eth question"
In reply to: Steven W. Raymond: "Re: [nsp] ICMP Unreachable and CEF"
Next in thread: Douglas M. Todd, Jr.: "RE: [nsp] ICMP Unreachable and CEF"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

you want a bit bucket. if you want unreachables, dont put the route
in the FIB.

Thu, Jan 24, 2002 at 10:34:23AM -0800, Steven W. Raymond:
> I disagree. "icmp unreachable" messages' purpose is to inform the
> sender that the next-hop is not available. Routing a packet to an
> interface which lacks an IP address should indeed generate an ICMP
> unreachable message back to the sender. Thankfully Cisco allows us to
> turn this off with "no ip unreachables" on a per-interface basis.
> But this behavior seems to be an intrinsicly useful feature of ICMP, and
> without being very familiar with the author's intentions, I feel safe in
> assuming that is what they designed it to do.
> At least one use of icmp unreachables is helping to identify ingress
> points of certain spoofed-source address DOS attacks.
>
>
> john heasley wrote:
> >
> > it should not return anything. null0 == /dev/null
> >
> > Thu, Jan 24, 2002 at 11:36:20AM -0500, Steven W. Raymond:
> > > Have experienced this same problem also and working with Cisco, was
> > > provided the following bug id: CSCdj55180
> > > Output is very terse. Is there anyone here from Cisco that can
> > > elaborate on an expected fix timeline?
> > > I believe that one workaround (somewhat lame) is to instead route to
> > > another unused interface which is up/up but without an IP address. This
> > > will generate an ICMP unreachable due to the unnumbered interface. Be
> > > sure to turn off cef on that interface. It was explained to me that if
> > > cef is turned on, then the RSP (which generates the ICMP unreachable)
> > > never sees the packet.
> > > The problem is not observed on the 12000 platform with the exact same
> > > code version 12.0(14)S5.
> > > Regards
> > >
> > >
> > > Elijah Kagan wrote:
> > > >
> > > > I always thought that when a router forwards packets to Null0 it also
> > > > generates ICMP Unreachable message to indicate this event. It seems that
> > > > this is not the case on routers running CEF. I checked this on several
> > > > platforms: 7500, 7200 and 3600. Whenever CEF is turned off I see those
> > > > unreachables pouring in, with CEF on - nothing.
> > > >
> > > > Is this the expected behavior? Can anyone expand on this issue?
> > > >
> > > > -- elijah
> > > >
> > > > P.S. I am running 12.0(x)S on 7200 and 7500.

Next message: Josh Duffek: "Re: [nsp] IOS for AS5300"
Previous message: Scott.Keoseyan@BroadWing.com: "RE: [nsp] 10Mb eth question"
In reply to: Steven W. Raymond: "Re: [nsp] ICMP Unreachable and CEF"
Next in thread: Douglas M. Todd, Jr.: "RE: [nsp] ICMP Unreachable and CEF"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:29 EDT