FW: Different treatment for *transit* ICMP

Stefan Savage (savage@cs.washington.edu)
Mon, 7 Dec 1998 08:57:10 -0800

As time goes on, traceroute is increasingly going to be a poor
drop/latency metric. We're going to have to move to something harder =
to
distinguish from regular traffic (TCP discard, or my "in progress" TCP
tool).

- Stefan

-----Original Message-----
From: Matt Mathis [mailto:mathis@griffy.psc.edu]=20
Sent: Saturday, December 05, 1998 7:37 PM
To: Daniel McRobb
Cc: end2end-interest@ISI.EDU; Chris Rapier;
Havard.Eidnes@runit.sintef.no
Subject: Different treatment for *transit* ICMP

There are now confirmed reports that providers are treating transit
ICMP differently than other packets. Providers are installing ICMP
rate limits to defend against so called smurf attacks. (Can somebody
cite the CERT bulletin?)

See the attached message quoted from the IPPM list.

Clearly this trashes any measurement which hits the limit.
But worse it may affect the forwarding time, even when the packets are
not dropped by the filter.

This is clearly something that we will be following.

--MM--
---------------------------------------------------------
From: Chris Rapier <rapier@psc.edu>
Cc: ippm@advanced.org
Subject: ICMP and future testing

We all know that more and more providers are either rate limiting or
blocking ICMP packets entirely. Being that a number of the common
network tools (both for diagnosis and performance evaluation) are based
entirely or in part on ICMP, how does this affect future metric
development and tool usage? Is it going to be necessary to define a new
packet protocol to take the place of ICMP? Is the roll out of IPv6 =
going
to help matters any?

Chris Rapier
Network Programmerthingy
NCNE/PSC/NLANR/ABC/123
---------------------------------------------------------

From: Havard.Eidnes@runit.sintef.no
Subject: Re: ICMP and future testing

> I've heard a little about this (mostly speculation on nanog),
> but you seem to be better informed that I on this matter.
>
> Please say more about what you believe the providers are doing.

!
interface POS5/0/0
description NYY-SHN VC4S001, us-ndn
rate-limit output access-group 100 1000000 40000 60000 \
conform-action transmit exceed-action drop
!
access-list 100 permit icmp any any echo-reply
access-list 100 deny ip any any
!

us-gw#show int pos 5/0/0 rate
POS5/0/0 NYY-SHN VC4S001, us-ndn
Output
matches: access-group 100
params: 1000000 bps, 40000 limit, 60000 extended limit
conformed 56632146 packets, 24435M bytes; action: transmit
exceeded 167907796 packets, 167443M bytes; action: drop
last packet: 27478ms ago, current burst: 0 bytes
last cleared 1w6d ago, conformed 172000 bps, exceeded 1179000 bps
us-gw#

That ought to speak for itself. ;-)

- H=E5vard