RE: [nsp] icmp blocking

From: Shi, Ning (ning.shi@bellnexxia.com)
Date: Thu Mar 28 2002 - 12:02:43 EST


I guess this is OK for enterprise network. Any good idea for ISP?

Regards,

-ns

-----Original Message-----
From: Rob Thomas [mailto:robt@cymru.com]
Sent: 28 March 2002 11:40 AM
To: Cisco List
Subject: Re: [nsp] icmp blocking

Hi, Birsen.

] I was looking for information about denying ICMP packets accross the
] backbone. What is the efficient/reccomended way of doing it? What are the

Hmm, I wouldn't block all ICMP. This can lead to other problems. ICMP
isn't just the hacker's protocol. :) Rate limiting is good, and I have
an example of that in my Secure IOS Template:

http://www.cymru.com/~robt/Docs/Articles/secure-ios-template.html

I have some thoughts on the filtering of ICMP at the edge here:

http://www.cymru.com/~robt/Docs/Articles/icmp-messages.html

I hope this helps!

Thanks,
Rob.

--
Rob Thomas
http://www.cymru.com/~robt
ASSERT(coffee != empty);



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:09 EDT