[c-nsp] Opinions about ICMP Destination Unreachable
sthaug at nethelp.no
sthaug at nethelp.no
Thu Nov 27 07:16:00 EST 2008
> > I am just wondering how many people have ICMP Destination Unreachables
> > disabled on their core routers. Could an CPE router, which may encapsulate
> > data, be able to depend on ICMP Unreachables to be sent to it?
> >
> > I know there are many cases where router implementations default it to off
> > (to not send ICMP DUs), but wondering who leaves it this way or turns them
> > on? Of when it defaults to on, who explicitly turns them off.
>
> Most of people who disable ICMP DU just don't understand what ICMP DU
> is for. Need I mention that PMTUD relies on ICMP type 3/code 4...
> In addition, it looks like that "no ip unreach" interface command
> disables "too big" message as well, breaking PMTUD.
> I prefer to enable ICMP DU on any interfaces where fragmentation may occur.
There is also a middle ground here - leave ICMP Destination Unreachable
on but rate limit the replies to a suitably low value. This means that
you will *probably* get a reply, but it's certainly not guaranteed.
Steinar Haug, Nethelp consulting, sthaug at nethelp.no
More information about the cisco-nsp
mailing list