Re: ICMP Query!!! from Andrey Tarasov on 2010-11-14 (Ccielab archives 11/2010)

From: Andrey Tarasov <andyvt_at_gmail.com>
Date: Sun, 14 Nov 2010 12:14:41 -0800

Tyson,

I think you forgot Path MTU discovery.

Regards,
Andrey.

On 11/14/2010 12:05 PM, Tyson Scott wrote:
> Dale,
>
> I agree. My PAK argument doesn't hold water after I think about it further
> as well ;). I have thought a lot about this the last day and I think there
> is room for debate each way. But if you read Yusuf Bhaji's Network Security
> Technologies book his simple statement on control plane is that it consists
> of protocols that help to "glue the network together". As a network can
> fundamentally function without the use of ICMP anywhere, meaning I could
> block all ICMP traffic and everything will still work, I consider it to be
> out of scope. That although ICMP traffic may come to the control plane for
> one reason or another, like ICMP redirect to give better route information
> or ICMP unreachable in the event of an unknown network or TTL expiration for
> traceroute, ICMP is not required to run the network. Whereas other things
> like IGMP, as Paul pointed out below is required for multicast to work.
>
> Fundamentally the Control Plane is traffic generated or accepted by the
> router that are necessary for the network to perform functions, i.e. routing
> protocols, multicast, IOS firewall (transit control plane). ICMP doesn't
> fall under any of those categories. Read Yusuf's book, it is probably one
> of the best clarifications on this topic out there. I also have the slides
> from his internal presentation on the topic.
>
> Now in what I have stated I will clarify that ICMP should be considered in
> CoPP Policy because it is a protocol that can affect the performance and
> security of the router. Just as undesirable traffic is also considered
> something you should protect the control plane from or undesirable IP
> options. So ICMP falls under the category of a protocol that Control Plane
> Protection is used to prevent from affecting the router not a protocol that
> is necessary for the operation of the control plane.
>
> Regards,
>
> Tyson Scott - CCIE #13513 R&S, Security, and SP
> Managing Partner / Sr. Instructor - IPexpert, Inc.
> Mailto: tscott_at_ipexpert.com

Blogs and organic groups at http://www.ccie.net
Received on Sun Nov 14 2010 - 12:14:41 ART

This archive was generated by hypermail 2.2.0 : Sun Dec 05 2010 - 22:14:56 ART