[j-nsp] ICMP Recommendation !!

Wed Apr 9 09:45:08 EDT 2014

Do not block unreachable or you will break PMTUD.

http://lost-carrier.org/why-disabling-icmp-unreachables-is-a-bad-thing/

These ones are okay to block for IPv4:

icmp-type info-request
icmp-type info-reply
icmp-type mask-request
icmp-type mask-reply
icmp-type redirect
icmp-type router-advertisement
icmp-type router-solicit
icmp-type timestamp
icmp-type timestamp-reply

On Wed, Apr 09, 2014 at 05:19:54AM -0700, Harri Makela wrote:
> Hi Guys
>  
> Do you have any recommendations to block certain ICMP packets on internet facing devices as part of security compliance i.e.
>  
> icmp-type unreachable
> icmp-type mask-reply
>  
> Few devices are J6350
>  
> admin at J6350# show security
> ssh-known-hosts {
>     host x.x.x.x {
>         rsa-key xx
>     }
>     host x.x.x.x {
>         rsa-key xx
>     }
> }
> alg {
>     dns disable;
>     ftp disable;
>     h323 disable;
>     mgcp disable;
>     msrpc disable;
>     sunrpc disable;
>     real disable;
>     rsh disable;
>     rtsp disable;
>     sccp disable;
>     sip disable;
>     sql disable;
>     talk disable;
>     tftp disable;
>     pptp disable;
> }
> forwarding-options {
>     family {
>         inet6 {
>             mode packet-based;
>         }
>         mpls {
>             mode packet-based;
>         }
>     }
> }
> flow {
>     allow-dns-reply;
>     tcp-session {
>         no-syn-check;
>         no-syn-check-in-tunnel;
>         no-sequence-check;
>     }
> }
> 
> http://www.juniper.net/techpubs/software/junos-es/junos-es92/junos-es-swconfig-security/understanding-ip-address-sweeps.html
>  
> Others are MX80
>  
> admin at MX80# show security
> ssh-known-hosts {
>     host x.x.x.x {
>         rsa-key xx
>     }
>     host x.x.x.x {
>         rsa-key xx
>     }
> }
> 
> Looking for a brief document as per JUNOS recommendation really. Any advice will be highly appreciated.
>  
> Thanks
> HM