[c-nsp] ICMP filtering for the ISP

Jared Mauch jared at puck.nether.net
Mon Jan 22 16:42:46 EST 2007 

On Mon, Jan 22, 2007 at 10:25:17PM +0100, Gert Doering wrote:
> Hi,
> 
> On Mon, Jan 22, 2007 at 06:10:26PM -0000, James Worley wrote:
> > Hi there, hoping for some advise.  Anybody got any experience in
> > filtering ICMP within an ISP network?
> > 
> > We have a handfull of border routers that connect our AS to our transit
> > providers. I am thinking that it might be a good idea to apply some sort
> > of ICMP filtering on these boxes. 
> 
> "Don't".
> 
> Ask yourself: what do you want to achieve - and what will it damage.
> 
> "Generic ICMP filtering" usually achieves nothing but hard-to-diagnose
> problems later on - and ICMP is not a danger per se.
> 
> What you *do* want to do is "rate limit ICMP to your routers" (because 
> nobody has the right to ping-to-death your router CPUs).  But be prepared
> to answer "your network is broken, I see packet loss!!!" e-mails.

	And be prepared for lengthy discussions and support cost from
this, teaching them how to use reasonable tools (eg: iperf) to diagnose
that their internal network is hosed and has a 100m/half link in it
that is causing their problem.

	The majority of the complaints that I've seen come by in the
past were "not our fault" but generally a combination of customer education
issues as well as network issues outside our control.  Using the same tools
it's generally been easy for us to diagnose our own network problems.

	I've been gradually leaning to having a host/pc/whatnot attached to
every device as a recommended best practice for folks, but depending this
can get quite costly..  (unless they're good at multiple routing tables per
ifc, you need a host-per and the ability to do 1GE).

	This way you can diagnose a bunch of odd things and prove to the
customer that the packets are going 100% the same path, instead of 
just between the same pops..

	one of those increased costs of business i suspect most will end up
seeing.

> *Much* more important than filtering ICMP is to apply anti-spoofing filters
> on your network:
> 
>   - customers MUST NOT send packets from a source address that doesn't
>     belong to them ("ip verify unicast reverse" in cisco speach)
> 
>   - peers and upstreams MUST NOT send you packets with a source address
>     that comes from *your* network blocks (I don't think uRPF will achieve
>     this, but this can be done fairly easily with ACLs).

	I 100% agree with the above.  If you aren't doing this, please
consider it, or at least chime-in with what challenges you face, as
stuff like smurf amps are around that 10 year mark.

	- Jared


-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.

More information about the cisco-nsp mailing list