Re: [nsp] icmp blocking

From: Gert Doering (gert@greenie.muc.de)
Date: Thu Mar 28 2002 - 03:02:30 EST


Hi,

On Thu, Mar 28, 2002 at 09:46:46AM -0500, Birsen Ozturk wrote:
> I was looking for information about denying ICMP packets accross the
> backbone. What is the efficient/reccomended way of doing it?

Don't.

> What are the
> drawbacks and maybe workarounds? I feel like if the backbone devices are
> open to ICMP they are vulnerable to DoS attacks. Any idea/reccomendation
> is welcome.

Denying ICMP means that you're going to seriously limit people's abilities
to troubleshoot network problems. If done poorly, you'll also break TCP
path MTU discovery (PMTUd).

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert@greenie.muc.de
fax: +49-89-35655025                        gert.doering@physik.tu-muenchen.de



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:38 EDT