Re: [nsp] icmp blocking

• Next message: Gert Doering: "Re: Subnet Mask"
• Previous message: Stephen Gill: "RE: [nsp] icmp blocking"
• In reply to: Birsen Ozturk: "[nsp] icmp blocking"
• Next in thread: Rob Thomas: "Re: [nsp] icmp blocking"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

Hi,

On Thu, Mar 28, 2002 at 09:46:46AM -0500, Birsen Ozturk wrote:
> I was looking for information about denying ICMP packets accross the
> backbone. What is the efficient/reccomended way of doing it?

Don't.

> What are the
> drawbacks and maybe workarounds? I feel like if the backbone devices are
> open to ICMP they are vulnerable to DoS attacks. Any idea/reccomendation
> is welcome.

Denying ICMP means that you're going to seriously limit people's abilities
to troubleshoot network problems. If done poorly, you'll also break TCP
path MTU discovery (PMTUd).

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert@greenie.muc.de
fax: +49-89-35655025                        gert.doering@physik.tu-muenchen.de

• Next message: Gert Doering: "Re: Subnet Mask"
• Previous message: Stephen Gill: "RE: [nsp] icmp blocking"
• In reply to: Birsen Ozturk: "[nsp] icmp blocking"
• Next in thread: Rob Thomas: "Re: [nsp] icmp blocking"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:09 EDT