[j-nsp] Disable ICMP Time Exceeded
Richard A Steenbergen
ras at e-gerbil.net
Thu Apr 29 18:22:31 EDT 2010
On Thu, Apr 29, 2010 at 05:04:20PM +0200, david.roy at orange-ftgroup.com wrote:
> Hi all,
>
> Is-there a way to disable or rate-limit (in junos) the sending of ICMP
> Time Exceeded when the box receives datagrams with a TTL expired.
Not directly afaik. You could firewall packets that are about to TTL
expire, so they never get processed in the first place. The ICMP
generation is handled by the PFE CPU, so I'm not sure if a lo0 filter
would affect that, but a physical interface filter should work.
Usually the issue is the opposite from the hard coded ICMP generation
rate limit which you can't tweak, i.e. as soon as some customer points a
default route back at you and creates a small routing loop your router
starts looking shitty in traceroute and even idiot on the Internet with
mtr and/or visual traceroute descends upon your noc email/phone like a
swarm of locusts. You haven't lived until you've received a complaint in
the form of a windows desktop screenshot of a tracert.exe window
embedded in a word document, zipped, with porn windows open in the
background.
--
Richard A Steenbergen <ras at e-gerbil.net> http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
More information about the juniper-nsp
mailing list