Re: ICMP Query!!! from Paul Negron on 2010-11-14 (Ccielab archives 11/2010)

From: Paul Negron <negron.paul_at_gmail.com>
Date: Sun, 14 Nov 2010 18:36:23 -0700
As I said before,
What would you call Process Switching? Or the Internal forwarding that takes
place within the CRS-1. There can be a software architecture that forwards
packets. It is handled by several CPU's but is STILL not considered Control
Plane traffic at All. In that case it is Data packets being punted. One of
which can be ICMP packets.
The answer is not as simple as you think.
-- 
Paul Negron
CCIE# 14856 CCSI# 22752
Senior Technical Instructor
www.micronicstraining.com
> From: gopal gupta <gopgupta_at_cisco.com>
> Date: Sun, 14 Nov 2010 19:14:39 -0600
> To: 'Tyson Scott' <tscott_at_ipexpert.com>, 'Sadiq Yakasai'
> <sadiqtanko_at_gmail.com>, 'ron wilkerson' <ron.wilkerson_at_gmail.com>
> Cc: 'Tyson Scott' <tyson.scott_at_advtechracks.com>, <negron.paul_at_gmail.com>,
> <tron_at_huapi.ba.ar>, <eliteccie_at_gmail.com>, <ccielab_at_groupstudy.com>
> Subject: RE: ICMP Query!!!
> 
> Is everything that is handled by CPU....should be considered as a control
> plane traffic????
> Lets say NAT is handled by Router CPU traditionally...does that mean it is
> control plane traffic?
> 
> The discussion should be followed as :- anything processed by Router CPU is
> considered as a control plane traffic or not??? If that is answered debate
> will end.... :-). My answer to that will be YES.
> 
> As far as Control plane is concerned it is the shared plane for all the
> Protocols that need cpu processing. And anything that needs to be answered
> by CPU, is the control plane traffic although some exceptional type of
> traffic also goes through control plane. It can be considered as Bad people
> in good people community. Here is the CoPP default Nexus 7K Config:-
> 
> As per this configs it states that we want to apply some policy for that
> ICMP Traffic to protect control plane from overloading. So, this means it is
> control plane traffic when (Unreachable, Options, Etc.) need CPU Processing
> else NOT.
> 
> class-map type control-plane match-any copp-system-class-critical
>   match access-group name copp-system-acl-bgp
>   match access-group name copp-system-acl-bgp6
>   match access-group name copp-system-acl-eigrp
>   match access-group name copp-system-acl-igmp
>   match access-group name copp-system-acl-msdp
>   match access-group name copp-system-acl-ospf
>   match access-group name copp-system-acl-ospf6
>   match access-group name copp-system-acl-pim
>   match access-group name copp-system-acl-pim6
>   match access-group name copp-system-acl-rip
>   match access-group name copp-system-acl-vpc
> class-map type control-plane match-any copp-system-class-exception
>   match exception ip option
>   match exception ip icmp unreachable
>   match exception ipv6 option
>   match exception ipv6 icmp unreachable
> class-map type control-plane match-any copp-system-class-important
>   match access-group name copp-system-acl-cts
>   match access-group name copp-system-acl-glbp
>   match access-group name copp-system-acl-hsrp
>   match access-group name copp-system-acl-vrrp
>   match access-group name copp-system-acl-wccp
>   match access-group name copp-system-acl-icmp6-msgs
>   match access-group name copp-system-acl-pim-reg
> class-map type control-plane match-any copp-system-class-management
>   match access-group name copp-system-acl-ftp
>   match access-group name copp-system-acl-ntp
>   match access-group name copp-system-acl-ntp6
>   match access-group name copp-system-acl-radius
>   match access-group name copp-system-acl-sftp
>   match access-group name copp-system-acl-snmp
>   match access-group name copp-system-acl-ssh
>   match access-group name copp-system-acl-ssh6
>   match access-group name copp-system-acl-tacacs
>   match access-group name copp-system-acl-telnet
>   match access-group name copp-system-acl-tftp
>   match access-group name copp-system-acl-tftp6
>   match access-group name copp-system-acl-radius6
>   match access-group name copp-system-acl-tacacs6
>   match access-group name copp-system-acl-telnet6
> class-map type control-plane match-any copp-system-class-monitoring
>   match access-group name copp-system-acl-icmp
>   match access-group name copp-system-acl-icmp6
>   match access-group name copp-system-acl-traceroute
> class-map type control-plane match-any copp-system-class-normal
>   match access-group name copp-system-acl-dhcp
>   match redirect dhcp-snoop
>   match protocol arp
> class-map type control-plane match-any copp-system-class-redirect
>   match redirect arp-inspect
> class-map type control-plane match-any copp-system-class-undesirable
>   match access-group name copp-system-acl-undesirable
> policy-map type control-plane copp-system-policy
>   class copp-system-class-critical
>     police cir 39600 kbps bc 250 ms conform transmit violate drop
>   class copp-system-class-important
>     police cir 1060 kbps bc 1000 ms conform transmit violate drop
>   class copp-system-class-management
>     police cir 10000 kbps bc 250 ms conform transmit violate drop
>   class copp-system-class-normal
>     police cir 680 kbps bc 250 ms conform transmit violate drop
>   class copp-system-class-redirect
>     police cir 280 kbps bc 250 ms conform transmit violate drop
>   class copp-system-class-monitoring
>     police cir 130 kbps bc 1000 ms conform transmit violate drop
>   class copp-system-class-exception
>     police cir 360 kbps bc 250 ms conform transmit violate drop
>   class copp-system-class-undesirable
>     police cir 32 kbps bc 250 ms conform drop violate drop
>   class class-default
>     police cir 100 kbps bc 250 ms conform transmit violate drop
> control-plane
>   service-policy input copp-system-policy
> 
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Tyson Scott
> Sent: Sunday, November 14, 2010 5:00 PM
> To: 'Sadiq Yakasai'; 'ron wilkerson'
> Cc: Tyson Scott; negron.paul_at_gmail.com; tron_at_huapi.ba.ar;
> eliteccie_at_gmail.com; ccielab_at_groupstudy.com
> Subject: RE: ICMP Query!!!
> 
> Sadiq,
> 
>  
> 
> Only two protocols work with NBAR classification with control plane
> policing, PPPOE and ARP.  That doesn't make other protocols by definition
> control plane protocols.  Personally I think the response by Paul to be the
> most precise and to the point, even if he said ICMP instead of IGMP, in
> describing control plane protocols.  But at the end of the day the most
> important fact is that ICMP traffic can affect the control plane of the
> router and thus measures should be taken to protect the router.
> 
>  
> 
> When I read the statement below it says (in my view) ICMP, IP traffic with
> IP options, and others "MIGHT" require handling by the route processor.
> This traffic that might require processing by the route processor is often
> referred to as control plane traffic.
> 
>  
> 
> To me it doesn't say that ICMP and IP traffic with IP options is control
> plane traffic but that it might require processing at the control plane.
> Thus Control Plane protection mechanisms should be put in place to prevent
> such security risks.
> 
>  
> 
> It still does not say to me that ICMP is by definition control plane
> traffic.  But I think that my view is up for debate which has been more than
> evident by this string of emails.
> 
>  
> 
> CCIE Kid I hope the purpose of your request has been answered by all of
> this.  And you can also see just how bull headed we all are :-)
> 
>  
> 
> Regards,
> 
>  
> 
> Tyson Scott - CCIE #13513 R&S, Security, and SP
> 
> Managing Partner / Sr. Instructor - IPexpert, Inc.
> 
> Mailto:  <mailto:tscott_at_ipexpert.com> tscott_at_ipexpert.com
> 
>  
> 
>  
> 
> From: Sadiq Yakasai [mailto:sadiqtanko_at_gmail.com]
> Sent: Saturday, November 13, 2010 4:04 PM
> To: ron wilkerson
> Cc: Tyson Scott; negron.paul_at_gmail.com; tron_at_huapi.ba.ar;
> eliteccie_at_gmail.com; ccielab_at_groupstudy.com
> Subject: Re: ICMP Query!!!
> 
>  
> 
> Exactly!
> 
> "The vast majority of packets handled by a router travel through the router
> by way of the forwarding plane, or data plane. However, the system's route
> processor must handle certain packets, such as routing protocols,
> keepalives, packets destined to the local IP addresses of the router, and
> packets from management protocols and other interactive access protocols,
> such as Telnet and Secure Shell (SSH) Protocol. In addition, packets from
> protocols such as Internet Control Message Protocol (ICMP), with IP options,
> and others, might require handling by the route processor as well. This type
> of traffic is often referred to as control plane traffic."
> 
> This is the same reason why using NBAR for ICMP classification when
> configuring COPP does NOT work. You need to use an ACL in a class-map to
> perform such classification. Very expensive lesson for me ;-)
> 
> ICMP terminating on a router, is indeed Control Plane traffic.
> 
> Sadiq
> 
> On Sat, Nov 13, 2010 at 8:30 PM, ron wilkerson <ron.wilkerson_at_gmail.com>
> wrote:
> 
> http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642/pro
> d_white_paper0900aecd805ffde8.html
> 
> read the 4th paragraph.
> 
> On Sat, Nov 13, 2010 at 3:24 PM, Tyson Scott
> <tyson.scott_at_advtechracks.com>wrote:
> 
> 
>> ICMP is not control plane traffic.  ICMP unreachables go to the CEF
>> exception for example.  Consider the control plane as protocols that
>> glue the network together.  ICMP traffic to the router go to the host
>> control plane because of being directed to the device thus it must
>> handle it.  ICMP is data traffic that may be used for management
>> purposes
>> 
>> Regards,
>> 
>> Tyson Scott
>> CCIE # 13513 (R&amp;S, Security, SP)
>> Managing Partner/Technical Instructor - IPexpert Inc.
>> tscott_at_ipexpert.com
>> 
>> 
>> ----- Reply message -----
>> From: "Paul Negron" <negron.paul_at_gmail.com>
>> Date: Sat, Nov 13, 2010 2:10 pm
>> Subject: ICMP Query!!!
>> To: "ron.wilkerson_at_gmail.com" <ron.wilkerson_at_gmail.com>, "Carlos G
>> Mendioroz" <tron_at_huapi.ba.ar>
>> Cc: "CCIE KID" <eliteccie_at_gmail.com>, "Cisco certification"
>> <ccielab_at_groupstudy.com>
>> 
>> 
>> Very Interesting Response.
>> 
>> I guess I primarily viewed ICMP as testing the Control Plane/ Data Plane
>> with the Majority of ICMP Query types:
>> 
>> * 0 = Echo Reply (3ping response2)
>> * 8 = Echo Request (3ping query2)
>> * 9 = Router Advertisement (RFC 1256)
>> * 10 = Router Solicitation (RFC 1256)
>> * 13 = Time Stamp Request
>> * 14 = Time Stamp Reply
>> * 17 = Address Mask Request
>> * 18 = Address Mask Reply
>> 
>> I know my definition is a little Narrow but it does help differentiate
> ICMP
>> from protocols like RSVP, PIM, EIGRP that strictly represent Control Plane
>> from a Routing Switching perspective.
>> 
>> As far as the view that because ICMP uses the CPU being a CLEAR
> definition,
>> this I would disagree with. What would Process Switching be then? Control
>> Plane or Data Plane activity?
>> 
>> Carlos and Ron do make a good point to expand my Narrow definition though.
>> :-)
>> 
>> Paul
>> 
>> 
>> --
>> Paul Negron
>> CCIE# 14856 CCSI# 22752
>> Senior Technical Instructor
>> www.micronicstraining.com
>> 
>> 
>> 
>>> From: <ron.wilkerson_at_gmail.com>
>>> Reply-To: <ron.wilkerson_at_gmail.com>
>>> Date: Fri, 12 Nov 2010 23:58:17 +0000
>>> To: Paul Negron <negron.paul_at_gmail.com>, Carlos G Mendioroz <
>> tron_at_huapi.ba.ar>
>>> Cc: CCIE KID <eliteccie_at_gmail.com>, Cisco certification
>>> <ccielab_at_groupstudy.com>
>>> Subject: Re: ICMP Query!!!
>>> 
>>> Agree with carlos...
>>> I've always thought of control plane as anything that the cpu has to
> look
>> at.
>>> Some icmp packets require the cpu, so I'd classify those icmp as control
>> plane
>>> packets.
>>> 
>>> 
>>> Sent from my Verizon Wireless BlackBerry
>>> 
>>> -----Original Message-----
>>> From: Paul Negron <negron.paul_at_gmail.com>
>>> Sender: nobody_at_groupstudy.com
>>> Date: Fri, 12 Nov 2010 16:39:10
>>> To: Carlos G Mendioroz<tron_at_huapi.ba.ar>
>>> Reply-To: Paul Negron <negron.paul_at_gmail.com>
>>> Cc: CCIE KID<eliteccie_at_gmail.com>; Cisco certification<
>> ccielab_at_groupstudy.com>
>>> Subject: Re: ICMP Query!!!
>>> 
>>> It is true that they help convey information or make sure a path is
> clear
>> to
>>> send larger packets, but ICMP is not intended to help create state
> within
>>> the control plane.
>>> 
>>> Like I said....
>>> 
>>> 
>>> IGMP helps to create a path in which Traffic will use.
>>> ICMP uses the data plane that a control plane protocol created.
>>> 
>>> Does anyone else have anything useful to contribute?
>>> 
>>> I would always love to hear another explanantion that can be useful and
>> I'm
>>> sure CCIE KID would too, unless the "KID" already gets it.
>>> 
>>> 
>>> Narbik?
>>> 
>>> 
>>> --
>>> Paul Negron
>>> CCIE# 14856 CCSI# 22752
>>> Senior Technical Instructor
>>> www.micronicstraining.com
>>> 
>>> 
>>> 
>>>> From: Carlos G Mendioroz <tron_at_huapi.ba.ar>
>>>> Date: Fri, 12 Nov 2010 17:39:56 -0300
>>>> To: Paul Negron <negron.paul_at_gmail.com>
>>>> Cc: CCIE KID <eliteccie_at_gmail.com>, Cisco certification
>>>> <ccielab_at_groupstudy.com>
>>>> Subject: Re: ICMP Query!!!
>>>> 
>>>> I would call ICMP redirect packets a control thing though.
>>>> And when using ICMP probes (echo request/reply) as part of a IP SLA
>>>> construct, they are a control thing too.
>>>> What about packet too big ?
>>>> 
>>>> In fact, Internet Control Message Protocol sounds a lot to control :)
>>>> 
>>>> -Carlos
>>>> 
>>>> Paul Negron @ 10/11/2010 14:21 -0300 dixit:
>>>>> I apologize,  I meant to state:
>>>>> 
>>>>>> IGMP packets are used to create state on the Router that receives
>> them.
>>>>>> Since it is used to create state, it is a part of the Control Plane
>>>>>> process.
>>>>>> It joins so that trees can be built, Although it is PIM that builds
>> them.
>>>>>> 
>>>>>> ICMP is generating traffic and is not associated with building
>> ANYTHING. It
>>>>>> is considered Data Plane traffic. It uses paths that have already
> been
>>>>>> setup
>>>>>> by a Control Plane Protocol, like OSPF or EIGRP or PIM for that
>> matter.
>>>>> 
>>>>> I accidentally stated ICMP twice.
>>>>> 
>>>>> Paul
>>>> 
>>>> --
>>>> Carlos G Mendioroz  <tron_at_huapi.ba.ar>  LW7 EQI  Argentina
>>> 
>>> 
>>> Blogs and organic groups at http://www.ccie.net
>>> 
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>> 
>> 
>> Blogs and organic groups at http://www.ccie.net
>> 
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>> 
> 
> 
> 
> 
> --
> stop talking
> 
> 
> 
> Blogs and organic groups at http://www.ccie.net
> 
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> -- 
> CCIEx2 (R&S|Sec) #19963
> 
> 
> Blogs and organic groups at http://www.ccie.net
> 
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Sun Nov 14 2010 - 18:36:23 ART
This archive was generated by hypermail 2.2.0 : Sun Dec 05 2010 - 22:14:56 ART