[c-nsp] Turning on no ip unreachables and the effects

[Andre Beck]

Hi Kevin,

On Fri, May 09, 2008 at 10:31:05AM +0100, Kevin Barrass wrote:
> 
> I've seen in the below link that enabling "no ip unreachables" on a
> interface can break PMTUD across your network if the outgoing interface
> is then on a link with an MTU too small as the interface with "no ip
> unreachables" will not send a packet too big type message.

It would be correct if the command had this effect, given that the
ICMP TYPE/CODE in question (3/4) is in fact an "unreachable". Other
unreachable types are "no route to network" (usually meaning there
is no route to the destination in the RIB/FIB of the reporting router),
"no route to host" (typically reported when ARP resolution failed for
a destination IP on the router that connects to the destination network,
though Cisco IOS is known to not generate this kind of error message
for reasons beyond me) and "administratively unreachable" as generated
by a firewall. The intention of plugging this silly command is probably
to suppress the latter meaning on a firewall style device. But it breaks
a whole and *essential* subclass of ICMP messages and obviously is just
begging for trouble. Almost like those people who fell to the ICMP
persecution complex ("There once was the PING of DEATH, so all ICMP
must be banned") and filter it altogether, just more subtle.

There are way too many devices out there configured with this command
though, thanks to SDM. My procedure for new boxes that have SDM on
them before they go to customers as CPEs: Delete everything from
flash, install latest stable IOS for the platform, erase startup,
configure it for the customers needs. Never let the remains of SDM
survive in the poor nvram or flash...
 
> Does anyone have a link to a definitive list as to the effect of turning
> on this command as I thought that turning on this command didn't prevent
> the interface sending TTL expired and hence not breaking trace route but
> now im unsure.

It could not break traceroute because "TTL exceeded" is NOT an
unreachable. It's a "Time exceeded" type, with code "time to live
exceeded in transit" (the other code of this type is "time exceeded
in reassembly" which means a fragment was lost).

I do not have a list that tells exactly what the command does, but
I abhor what it says it does according to RFC 792 just by name - it
prevents the generation of any ICMP message of type 3 (unreachable).
And this is unacceptable.

HTH,
Andre.
-- 
   Real men don't make backups of their mail. They just send it out
    on the Internet and let the secret services do the hard work.

-> Andre Beck    +++ ABP-RIPE +++      IBH IT-Service GmbH, Dresden <-