[j-nsp] Disable ICMP Time Exceeded

david.roy at orange-ftgroup.com david.roy at orange-ftgroup.com
Fri Apr 30 02:48:43 EDT 2010 

Hi,

Yes ICMP is handled by the CPU of the PFE. We can check ICMP throttled at this level.  
As you said, a firewall filter at the interface level works. Thank you

Regards,
David



 
David Roy
Orange France - RBCI IP Technical Assistance Center
Tel.   +33(0)299876472
Mob. +33(0)685522213
Email. david.roy at orange-ftgroup.com
 

-----Message d'origine-----
De : Richard A Steenbergen [mailto:ras at e-gerbil.net] 
Envoyé : vendredi 30 avril 2010 00:23
À : ROY David DTF/DERX
Cc : juniper-nsp at puck.nether.net
Objet : Re: [j-nsp] Disable ICMP Time Exceeded

On Thu, Apr 29, 2010 at 05:04:20PM +0200, david.roy at orange-ftgroup.com wrote:
> Hi all,
> 
> Is-there a way to disable or rate-limit (in junos) the sending of ICMP 
> Time Exceeded when the box receives datagrams with a TTL expired.

Not directly afaik. You could firewall packets that are about to TTL expire, so they never get processed in the first place. The ICMP generation is handled by the PFE CPU, so I'm not sure if a lo0 filter would affect that, but a physical interface filter should work.

Usually the issue is the opposite from the hard coded ICMP generation rate limit which you can't tweak, i.e. as soon as some customer points a default route back at you and creates a small routing loop your router starts looking shitty in traceroute and even idiot on the Internet with mtr and/or visual traceroute descends upon your noc email/phone like a swarm of locusts. You haven't lived until you've received a complaint in the form of a windows desktop screenshot of a tracert.exe window embedded in a word document, zipped, with porn windows open in the background.

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)

*********************************
This message and any attachments (the "message") are confidential and intended solely for the addressees. 
Any unauthorised use or dissemination is prohibited.
Messages are susceptible to alteration. 
France Telecom Group shall not be liable for the message if altered, changed or falsified.
If you are not the intended addressee of this message, please cancel it immediately and inform the sender.
********************************

More information about the juniper-nsp mailing list