[c-nsp] ICMP filtering for the ISP
J. Oquendo
sil at infiltrated.net
Mon Jan 22 17:10:08 EST 2007
James Worley wrote:
> 10 permit icmp any any echo
> 14 permit icmp any any source-quench
> 20 permit icmp any any echo-reply
> 24 permit icmp any any 13 0
> 30 permit icmp any any unreachable
> 40 permit icmp any any packet-too-big
> 50 permit icmp any any ttl-exceeded
> 60 deny icmp any any
>
> Is there anything else we should be allowing inbound or problems with the
> above ACL?
>
Think about this for a second and let me suggest why your ICMP filtering
won't solve much....
Think of this your network:
R1 = BGP Border RouterA = 10.1.1.1
R2 = BGP Border RouterB = 10.1.1.2
C1 = Client of yours = 10.10.10.5
Want to allow source quenches and unreachables...?
C1 (posing as R2) --> source quench flood --> R1 ... Flaps
C1 (posing as R2) --> unreachable flood --> R1 ... flaps
Denying ICMP is not a form of security. In most cases, ICMP is helpful
(even those ICMP messages that are barely used). So for you to block
one, might as well block them all and only allow in trusted hosts for
administrative purposes. But that would still leave a pretty shoddy
network if you ask me.
My 2 cents.
--
====================================================
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
sil . infiltrated @ net http://www.infiltrated.net
The happiness of society is the end of government.
John Adams
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5157 bytes
Desc: S/MIME Cryptographic Signature
Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20070122/a96e9d40/attachment.bin
More information about the cisco-nsp
mailing list