[c-nsp] Cisco Processing Regarding ICMP

alaerte.vidali at nsn.com alaerte.vidali at nsn.com
Sun May 11 14:02:11 EDT 2008


I mean, only helps TCP :) 

-----Original Message-----
From: Vidali Alaerte (NSN - BR/Rio de Janeiro) 
Sent: Sunday, May 11, 2008 9:02 PM
To: 'ext Phil Bedard'; Gert Doering
Cc: cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Cisco Processing Regarding ICMP

Hi Phil,

I have seem description saying that initial SYN is punted to RP, so
there is impact under SYN attack for example.
Also, RP needs to calculate new checksum.
I agree it seems better solution, I am only worried with CPU impact in
7609.
Also, only helps UDP.

Tks,
Alaerte 

-----Original Message-----
From: ext Phil Bedard [mailto:philxor at gmail.com]
Sent: Sunday, May 11, 2008 7:41 PM
To: Gert Doering
Cc: Vidali Alaerte (NSN - BR/Rio de Janeiro); cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cisco Processing Regarding ICMP

Yeah, a better solution to me is to use the tcp-adjust-mss value,
assuming this is TCP traffic and not something else.  I don't know the
CPU limitations of that on the 7600 but it will probably end up being
less processing power than generating an ICMP message that may never get
to its destination.

Phil

On May 11, 2008, at 11:58 AM, Gert Doering wrote:

> Hi,
>
> On Sat, May 10, 2008 at 03:39:23PM -0500, alaerte.vidali at nsn.com
> wrote:
>> Because internal network design requirements, it is necessary 
>> decrease internal MTU to slight lower than 1500 bytes,
>
> Ugh.
>
> This is *really* unusual.  Many networks increase their MTU to well 
> above 1500, so that even tunneled connections still are able to carry 
> full-MTU packets - but running a network below 1500 sounds like a 
> Really Bad Plan to me.
>
> Expect fun with all the sites out there that have Issues with PMTUD.  
> Lots.
>
> gert
> --
> USENET is *not* the non-clickable part of WWW!
>
//www.muc.de/~gert/
> Gert Doering - Munich, Germany
gert at greenie.muc.de
> fax: +49-89-35655025
gert at net.informatik.tu-muenchen.de
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list