<rant> Providers blocking all ICMP = ignorant I can't possibly stand any ISP's blocking _ALL_ ICMP (alas it is happening now, I already know 5 ISP's around my area who's doing this as I speak) for any reasons. If you want to *cough*cough*mitigate*/cough*/cough* impact of so-called BLASTER, please please please for the love of god, just block echo/echo replies. Not to mention blocking icmp will not help stop the propagation of the worm. </rant> -hc -- Haesu C. TowardEX Technologies, Inc. Consulting, colocation, web hosting, network design and implementation http://www.towardex.com | haesu@towardex.com Cell: (978)394-2867 | Office: (978)263-3399 Ext. 174 Fax: (978)263-0033 | POC: HAESU-ARIN On Mon, Sep 29, 2003 at 09:43:14AM -0700, CA Windon wrote:
Dear NANOG-ers,
I work for an information security company that is dependant upon ICMP for network mapping purposes (read: traceroute). On or about August 18, we were told, our upstream provider began blocking ICMP packets at its border in the Chicago NAP in an effort to cut down on the propagation of 'MSBlast'. This has effected our ability to accurately map our customers networks.
We've been in contact with an engineer in this provider's NOC who is either unable or unwilling to remove this ACL for our block of IPs.
Currently, we've been given two options. (1) Deal with the effect of the ACL until 'MSBlast' traffic subsides, or (2) they are willing to reroute our traffic out of the Chicago NAP to a border router that, they claim, does not have the same ACL. The problem with option 2 is that they would force us to renumber. This is a problem for us, as it would impact our customers as well.
What options can I take to my management that would cause the least impact to the services we provide while not causing undue work for our clients. Also, what other options could I suggest to my upstream provider?
TIA,
C. Windon
__________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com