RE: ICMP Query!!!

Sadiq,

Only two protocols work with NBAR classification with control plane
policing, PPPOE and ARP. That doesn't make other protocols by definition
control plane protocols. Personally I think the response by Paul to be the
most precise and to the point, even if he said ICMP instead of IGMP, in
describing control plane protocols. But at the end of the day the most
important fact is that ICMP traffic can affect the control plane of the
router and thus measures should be taken to protect the router.

When I read the statement below it says (in my view) ICMP, IP traffic with
IP options, and others "MIGHT" require handling by the route processor.
This traffic that might require processing by the route processor is often
referred to as control plane traffic.

To me it doesn't say that ICMP and IP traffic with IP options is control
plane traffic but that it might require processing at the control plane.
Thus Control Plane protection mechanisms should be put in place to prevent
such security risks.

It still does not say to me that ICMP is by definition control plane
traffic. But I think that my view is up for debate which has been more than
evident by this string of emails.

CCIE Kid I hope the purpose of your request has been answered by all of
this. And you can also see just how bull headed we all are :-)

Regards,

Tyson Scott - CCIE #13513 R&S, Security, and SP

Managing Partner / Sr. Instructor - IPexpert, Inc.

Mailto: <mailto:tscott_at_ipexpert.com> tscott_at_ipexpert.com

From: Sadiq Yakasai [mailto:sadiqtanko_at_gmail.com]
Sent: Saturday, November 13, 2010 4:04 PM
To: ron wilkerson
Cc: Tyson Scott; negron.paul_at_gmail.com; tron_at_huapi.ba.ar;
eliteccie_at_gmail.com; ccielab_at_groupstudy.com
Subject: Re: ICMP Query!!!

Exactly!

"The vast majority of packets handled by a router travel through the router
by way of the forwarding plane, or data plane. However, the system's route
processor must handle certain packets, such as routing protocols,
keepalives, packets destined to the local IP addresses of the router, and
packets from management protocols and other interactive access protocols,
such as Telnet and Secure Shell (SSH) Protocol. In addition, packets from
protocols such as Internet Control Message Protocol (ICMP), with IP options,
and others, might require handling by the route processor as well. This type
of traffic is often referred to as control plane traffic."

This is the same reason why using NBAR for ICMP classification when
configuring COPP does NOT work. You need to use an ACL in a class-map to
perform such classification. Very expensive lesson for me ;-)

ICMP terminating on a router, is indeed Control Plane traffic.

Sadiq

On Sat, Nov 13, 2010 at 8:30 PM, ron wilkerson <ron.wilkerson_at_gmail.com>
wrote:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642/pro
d_white_paper0900aecd805ffde8.html

read the 4th paragraph.

On Sat, Nov 13, 2010 at 3:24 PM, Tyson Scott
<tyson.scott_at_advtechracks.com>wrote:

> ICMP is not control plane traffic. ICMP unreachables go to the CEF
> exception for example. Consider the control plane as protocols that
> glue the network together. ICMP traffic to the router go to the host
> control plane because of being directed to the device thus it must
> handle it. ICMP is data traffic that may be used for management
> purposes
>
> Regards,
>
> Tyson Scott
> CCIE # 13513 (R&amp;S, Security, SP)
> Managing Partner/Technical Instructor - IPexpert Inc.
> tscott_at_ipexpert.com
>
>
> ----- Reply message -----
> From: "Paul Negron" <negron.paul_at_gmail.com>
> Date: Sat, Nov 13, 2010 2:10 pm
> Subject: ICMP Query!!!
> To: "ron.wilkerson_at_gmail.com" <ron.wilkerson_at_gmail.com>, "Carlos G
> Mendioroz" <tron_at_huapi.ba.ar>
> Cc: "CCIE KID" <eliteccie_at_gmail.com>, "Cisco certification"
> <ccielab_at_groupstudy.com>
>
>
> Very Interesting Response.
>
> I guess I primarily viewed ICMP as testing the Control Plane/ Data Plane
> with the Majority of ICMP Query types:
>
> * 0 = Echo Reply (3ping response2)
> * 8 = Echo Request (3ping query2)
> * 9 = Router Advertisement (RFC 1256)
> * 10 = Router Solicitation (RFC 1256)
> * 13 = Time Stamp Request
> * 14 = Time Stamp Reply
> * 17 = Address Mask Request
> * 18 = Address Mask Reply
>
> I know my definition is a little Narrow but it does help differentiate
ICMP
> from protocols like RSVP, PIM, EIGRP that strictly represent Control Plane
> from a Routing Switching perspective.
>
> As far as the view that because ICMP uses the CPU being a CLEAR
definition,
> this I would disagree with. What would Process Switching be then? Control
> Plane or Data Plane activity?
>
> Carlos and Ron do make a good point to expand my Narrow definition though.
> :-)
>
> Paul
>
>
> --
> Paul Negron
> CCIE# 14856 CCSI# 22752
> Senior Technical Instructor
> www.micronicstraining.com
>
>
>
> > From: <ron.wilkerson_at_gmail.com>
> > Reply-To: <ron.wilkerson_at_gmail.com>
> > Date: Fri, 12 Nov 2010 23:58:17 +0000
> > To: Paul Negron <negron.paul_at_gmail.com>, Carlos G Mendioroz <
> tron_at_huapi.ba.ar>
> > Cc: CCIE KID <eliteccie_at_gmail.com>, Cisco certification
> > <ccielab_at_groupstudy.com>
> > Subject: Re: ICMP Query!!!
> >
> > Agree with carlos...
> > I've always thought of control plane as anything that the cpu has to
look
> at.
> > Some icmp packets require the cpu, so I'd classify those icmp as control
> plane
> > packets.
> >
> >
> > Sent from my Verizon Wireless BlackBerry
> >
> > -----Original Message-----
> > From: Paul Negron <negron.paul_at_gmail.com>
> > Sender: nobody_at_groupstudy.com
> > Date: Fri, 12 Nov 2010 16:39:10
> > To: Carlos G Mendioroz<tron_at_huapi.ba.ar>
> > Reply-To: Paul Negron <negron.paul_at_gmail.com>
> > Cc: CCIE KID<eliteccie_at_gmail.com>; Cisco certification<
> ccielab_at_groupstudy.com>
> > Subject: Re: ICMP Query!!!
> >
> > It is true that they help convey information or make sure a path is
clear
> to
> > send larger packets, but ICMP is not intended to help create state
within
> > the control plane.
> >
> > Like I said....
> >
> >
> > IGMP helps to create a path in which Traffic will use.
> > ICMP uses the data plane that a control plane protocol created.
> >
> > Does anyone else have anything useful to contribute?
> >
> > I would always love to hear another explanantion that can be useful and
> I'm
> > sure CCIE KID would too, unless the "KID" already gets it.
> >
> >
> > Narbik?
> >
> >
> > --
> > Paul Negron
> > CCIE# 14856 CCSI# 22752
> > Senior Technical Instructor
> > www.micronicstraining.com
> >
> >
> >
> >> From: Carlos G Mendioroz <tron_at_huapi.ba.ar>
> >> Date: Fri, 12 Nov 2010 17:39:56 -0300
> >> To: Paul Negron <negron.paul_at_gmail.com>
> >> Cc: CCIE KID <eliteccie_at_gmail.com>, Cisco certification
> >> <ccielab_at_groupstudy.com>
> >> Subject: Re: ICMP Query!!!
> >>
> >> I would call ICMP redirect packets a control thing though.
> >> And when using ICMP probes (echo request/reply) as part of a IP SLA
> >> construct, they are a control thing too.
> >> What about packet too big ?
> >>
> >> In fact, Internet Control Message Protocol sounds a lot to control :)
> >>
> >> -Carlos
> >>
> >> Paul Negron @ 10/11/2010 14:21 -0300 dixit:
> >>> I apologize, I meant to state:
> >>>
> >>>> IGMP packets are used to create state on the Router that receives
> them.
> >>>> Since it is used to create state, it is a part of the Control Plane
> >>>> process.
> >>>> It joins so that trees can be built, Although it is PIM that builds
> them.
> >>>>
> >>>> ICMP is generating traffic and is not associated with building
> ANYTHING. It
> >>>> is considered Data Plane traffic. It uses paths that have already
been
> >>>> setup
> >>>> by a Control Plane Protocol, like OSPF or EIGRP or PIM for that
> matter.
> >>>
> >>> I accidentally stated ICMP twice.
> >>>
> >>> Paul
> >>
> >> --
> >> Carlos G Mendioroz <tron_at_huapi.ba.ar> LW7 EQI Argentina
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>

--
stop talking
Blogs and organic groups at http://www.ccie.net