[Outages-discussion] Anyone aware of problems around Chicago (I believe)?

Jeremy Chadwick outages at jdc.parodius.com
Fri May 1 07:03:45 EDT 2009


On Fri, May 01, 2009 at 11:53:18AM +0200, Gert Doering wrote:
> > 2.  For safety and security, ICMP, ping packets and traceroutes must be 
> > blocked.
> 
> This is the security nazi guys.  "We don't know what it is good for, so
> it must be evil, and let's block it!"

And I'd love to hear the justification behind the "safety and security"
aspect of blocking ICMP time exceeded responses.  It's even more common
these days to de-prioritise such traffic, resulting in users and SAs
misinterpreting traceroute or mtr results ("hop #4 has between 28-50%
packet loss, that must be the problem").

As I understand it -- and please, those heavy in the networking field
please correct me if I'm wrong -- the justification is based on mid-90s
attacks on routers using numerous types of ICMP.  It's now 2009, and
this is still a focal point every place I've worked + been involved
with.  Being as packet kids now have access to more bandwidth than was
even remotely comprehensible in the mid-90s, and aren't interested in
"taking out routers" as much as they are interested in saturating links,
I'm left wondering 

Please do not reply to my request with something terse -- take the time
to explain, technically, why ICMP time exceeded (type 11) should be
altogether blocked or de-prioritised.

Then again, maybe this is a better discussion for NANOG.

-- 
| Jeremy Chadwick                                jdc at parodius.com |
| Parodius Networking                       http://www.parodius.com/ |
| UNIX Systems Administrator                  Mountain View, CA, USA |
| Making life hard for others since 1977.              PGP: 4BD6C0CB |


More information about the Outages-discussion mailing list