First, let me thank everyone who responded to my previous question about routers prioritizing control traffic, your comments were much appreciated. My next question is about responses to ICMP pings (echo request), when they return ICMP UNREACHABLE with codes 9,10 or 13. These codes are defined as follows: unreachable 9 Communication with Destination Network is Administratively Prohibited unreachable 10 Communication with Destination Host is Administratively Prohibited unreachable 13 Communication Administratively Prohibited - generated if a router cannot forward a packet due to administrative filtering Responses with these codes seem to imply the presence of a firewall. Is this assumption correct or are these codes meaningless? If this a configurable parameter, how to you typically decide what to set it to? Thanks! Christos Papadopoulos Colorado State University
On Wed, 28 Mar 2007, Christos Papadopoulos wrote:
My next question is about responses to ICMP pings (echo request), when they return ICMP UNREACHABLE with codes 9,10 or 13.
Responses with these codes seem to imply the presence of a firewall. Is this assumption correct or are these codes meaningless?
They do have meaning, and you do see them in production (generally in traceroute responses.) These can indicate the presence of either a firewall, or an ACL. Both traffic barriers are typically configurable, and whether or not you get a response is very often dictated by how hardcore the network engineer or security engineer is about giving up information about their network.
If this a configurable parameter, how to you typically decide what to set it to?
See previous comment about relative values of hardcore. Arguably, use of these options is telling the end user things about your network configuration, including, very specifically, which device is blocking their traffic. Depending on your security stance and requirements, this may be good or bad. Personally, I simply drop the offending packets into the bitbucket and let the user wonder. - billn
On Mar 28, 2007, at 3:57 PM, Christos Papadopoulos wrote:
Responses with these codes seem to imply the presence of a firewall. Is this assumption correct or are these codes meaningless?
Not just firewalls - ACLs on routers, too. A common practice is to either turn off sending of unreachables or to at least rate-limit them to preserve CPU on the router. ----------------------------------------------------------------------- Roland Dobbins <rdobbins@cisco.com> // 408.527.6376 voice Words that come from a machine have no soul. -- Duong Van Ngo
participants (3)
-
Bill Nash
-
Christos Papadopoulos
-
Roland Dobbins