RE: ICMP Query!!!

Andrey,

I am not sure what you mean by me forgetting it. I gave a few examples, by
no means is this an exhaustive discussion of ICMP types but MTU discovery
still relies on unreachable, fragmentation needed, which is still not
necessary. I can still block all ICMP traffic and not cause problems with
TCP sessions by setting the "ip tcp mss" on interfaces as well. But I am
not sure if this is what you are referring to?

Regards,
 
Tyson Scott - CCIE #13513 R&S, Security, and SP
Managing Partner / Sr. Instructor - IPexpert, Inc.
Mailto: tscott_at_ipexpert.com

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Andrey Tarasov
Sent: Sunday, November 14, 2010 3:15 PM
To: ccielab_at_groupstudy.com
Subject: Re: ICMP Query!!!

Tyson,

I think you forgot Path MTU discovery.

Regards,
Andrey.

On 11/14/2010 12:05 PM, Tyson Scott wrote:
> Dale,
>
> I agree. My PAK argument doesn't hold water after I think about it
further
> as well ;). I have thought a lot about this the last day and I think
there
> is room for debate each way. But if you read Yusuf Bhaji's Network
Security
> Technologies book his simple statement on control plane is that it
consists
> of protocols that help to "glue the network together". As a network can
> fundamentally function without the use of ICMP anywhere, meaning I could
> block all ICMP traffic and everything will still work, I consider it to be
> out of scope. That although ICMP traffic may come to the control plane
for
> one reason or another, like ICMP redirect to give better route information
> or ICMP unreachable in the event of an unknown network or TTL expiration
for
> traceroute, ICMP is not required to run the network. Whereas other things
> like IGMP, as Paul pointed out below is required for multicast to work.
>
> Fundamentally the Control Plane is traffic generated or accepted by the
> router that are necessary for the network to perform functions, i.e.
routing
> protocols, multicast, IOS firewall (transit control plane). ICMP doesn't
> fall under any of those categories. Read Yusuf's book, it is probably one
> of the best clarifications on this topic out there. I also have the
slides
> from his internal presentation on the topic.
>
> Now in what I have stated I will clarify that ICMP should be considered in
> CoPP Policy because it is a protocol that can affect the performance and
> security of the router. Just as undesirable traffic is also considered
> something you should protect the control plane from or undesirable IP
> options. So ICMP falls under the category of a protocol that Control
Plane
> Protection is used to prevent from affecting the router not a protocol
that
> is necessary for the operation of the control plane.
>
> Regards,
>
> Tyson Scott - CCIE #13513 R&S, Security, and SP
> Managing Partner / Sr. Instructor - IPexpert, Inc.
> Mailto: tscott_at_ipexpert.com

Blogs and organic groups at http://www.ccie.net
Received on Sun Nov 14 2010 - 15:45:26 ART