[c-nsp] ICMP filtering for the ISP
Gert Doering
gert at greenie.muc.de
Tue Jan 23 02:44:38 EST 2007
Hi,
On Mon, Jan 22, 2007 at 05:10:08PM -0500, J. Oquendo wrote:
> Want to allow source quenches and unreachables...?
>
> C1 (posing as R2) --> source quench flood --> R1 ... Flaps
> C1 (posing as R2) --> unreachable flood --> R1 ... flaps
todays routers don't act on source quench ICMPs anyway.
If your customer C1 can pose as a backbone router R2, you have a MUCH
bigger problem than ICMP unreachables. Enable anti-spoofing filter and
forget about "baad ICMP stuff!!".
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
More information about the cisco-nsp
mailing list