Fwd: Re: ICMP Query!!!

I just find your statement "As a network can fundamentally function without the use of ICMP anywhere, meaning I could block all ICMP traffic and everything will still work, I consider it to be out of scope." a tad too strong. And your reply is pretty ironic, given the reason "ip
tcp-mss adjust" got added to IOS.

On 11/14/2010 12:45 PM, Tyson Scott wrote:
> Andrey,
>
> I am not sure what you mean by me forgetting it. I gave a few examples, by
> no means is this an exhaustive discussion of ICMP types but MTU discovery
> still relies on unreachable, fragmentation needed, which is still not
> necessary. I can still block all ICMP traffic and not cause problems with
> TCP sessions by setting the "ip tcp mss" on interfaces as well. But I am
> not sure if this is what you are referring to?
>
> Regards,
>
> Tyson Scott - CCIE #13513 R&S, Security, and SP
> Managing Partner / Sr. Instructor - IPexpert, Inc.
> Mailto: tscott_at_ipexpert.com
>
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Andrey Tarasov
> Sent: Sunday, November 14, 2010 3:15 PM
> To: ccielab_at_groupstudy.com
> Subject: Re: ICMP Query!!!
>
> Tyson,
>
> I think you forgot Path MTU discovery.
>
> Regards,
> Andrey.
>
> On 11/14/2010 12:05 PM, Tyson Scott wrote:
>> Dale,
>>
>> I agree. My PAK argument doesn't hold water after I think about it
> further
>> as well ;). I have thought a lot about this the last day and I think
> there
>> is room for debate each way. But if you read Yusuf Bhaji's Network
> Security
>> Technologies book his simple statement on control plane is that it
> consists
>> of protocols that help to "glue the network together". As a network can
>> fundamentally function without the use of ICMP anywhere, meaning I could
>> block all ICMP traffic and everything will still work, I consider it to be
>> out of scope. That although ICMP traffic may come to the control plane
> for
>> one reason or another, like ICMP redirect to give better route information
>> or ICMP unreachable in the event of an unknown network or TTL expiration
> for
>> traceroute, ICMP is not required to run the network. Whereas other things
>> like IGMP, as Paul pointed out below is required for multicast to work.
>>
>> Fundamentally the Control Plane is traffic generated or accepted by the
>> router that are necessary for the network to perform functions, i.e.
> routing
>> protocols, multicast, IOS firewall (transit control plane). ICMP doesn't
>> fall under any of those categories. Read Yusuf's book, it is probably one
>> of the best clarifications on this topic out there. I also have the
> slides
>> from his internal presentation on the topic.
>>
>> Now in what I have stated I will clarify that ICMP should be considered in
>> CoPP Policy because it is a protocol that can affect the performance and
>> security of the router. Just as undesirable traffic is also considered
>> something you should protect the control plane from or undesirable IP
>> options. So ICMP falls under the category of a protocol that Control
> Plane
>> Protection is used to prevent from affecting the router not a protocol
> that
>> is necessary for the operation of the control plane.
>>
>> Regards,
>>
>> Tyson Scott - CCIE #13513 R&S, Security, and SP
>> Managing Partner / Sr. Instructor - IPexpert, Inc.
>> Mailto: tscott_at_ipexpert.com
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Sun Nov 14 2010 - 13:14:08 ART