Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: New router feature - icmp error source-interface [was: icmp rpf]

  • From: Payam Tarverdyan Chychi
  • Date: Tue Sep 26 01:24:24 2006

Joseph S D Yao wrote:
On Mon, Sep 25, 2006 at 09:22:34AM -0400, Patrick W. Gilmore wrote:
...

Who thinks it would be a "good idea" to have a knob such that ICMP error messages are always source from a certain IP address on a router?
...


I've sometimes thought it would be useful when I wanted to hide a route.
But security via obscurity just makes it that much harder to fix
something. Many more times than this would have been useful, I've been
able to identify at which router a problem was by a 'traceroute' that
told me into which router by which interface I was going. When the
owner of the router might not even have known. Or I have had attempts
to do this foiled by routers that used an internal loopback IP address.
On the whole, then, I guess I would vote, "no".


Why not just do a show ip route? since you can actually verify the information against your routing table.
This way you can see when the route was learned, where was it learned from and how long ago it was last updated...
the problem is that too many people "engineers" rely on traceroute... sure traceroute is a wonderful tool, however it is meant to assist you in "tracking down" the problem.

I've seen far too many "you are filtering, investigate please" when all that has been done is implementing acls and rate limiting.

IMO, If you want to implement a non-routable ip space to protect your backbone... go for it
if you want to icmp rate limit *i know level3 does this out of both nyc and la* which causes mass threads of "we are getting packet loss, please investigate" go for it ..

if your network engineers are not equipped with the information to how to fully diagnose a network/problem.... you should think about new hires.

Cheers,
Payam





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.