[c-nsp] ICMP filtering for the ISP
Gert Doering
gert at greenie.muc.de
Mon Jan 22 16:25:17 EST 2007
Hi,
On Mon, Jan 22, 2007 at 06:10:26PM -0000, James Worley wrote:
> Hi there, hoping for some advise. Anybody got any experience in
> filtering ICMP within an ISP network?
>
> We have a handfull of border routers that connect our AS to our transit
> providers. I am thinking that it might be a good idea to apply some sort
> of ICMP filtering on these boxes.
"Don't".
Ask yourself: what do you want to achieve - and what will it damage.
"Generic ICMP filtering" usually achieves nothing but hard-to-diagnose
problems later on - and ICMP is not a danger per se.
What you *do* want to do is "rate limit ICMP to your routers" (because
nobody has the right to ping-to-death your router CPUs). But be prepared
to answer "your network is broken, I see packet loss!!!" e-mails.
*Much* more important than filtering ICMP is to apply anti-spoofing filters
on your network:
- customers MUST NOT send packets from a source address that doesn't
belong to them ("ip verify unicast reverse" in cisco speach)
- peers and upstreams MUST NOT send you packets with a source address
that comes from *your* network blocks (I don't think uRPF will achieve
this, but this can be done fairly easily with ACLs).
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
More information about the cisco-nsp
mailing list