RE: ICMP Blocking Woes

["Eric Germann" <ekgermann () cctec com>]

winders does use udp instead of icmp in their tracert program, IIRC (or at
least they used to).  At the risk of getting my head blown off, could we say
that was foresight :)

Eric


> -----Original Message-----
> From: owner-nanog () merit edu [mailto:owner-nanog () merit edu]On Behalf Of
> Stephen J. Wilcox
> Sent: Monday, September 29, 2003 1:54 PM
> To: CA Windon
> Cc: nanog () merit edu
> Subject: Re: ICMP Blocking Woes
>
>
>
>
> Hmm noticed what I was to say has already been said, but to
> reiterate, if your
> provider is blocking ICMP other than echo/echoreply .. in this case ICMP
> unreachables and presumably fragments and other fundementally
> required icmps
> they are seriously broken and I would insist they fix it or else
> you move away
>
>
> You didnt clarify that in your mail tho, is it the icmp
> unreachables that you
> arent getting or is your monitoring sending out icmp echos which
> are being
> filtering?
>
> if its the latter then you can easily workaround by modifying
> your monitoring
> systems to use udp/tcp based probes which are probably better
> these days than
> sending icmp across third party networks anyhow
>
> Steve
>
> On Mon, 29 Sep 2003, CA Windon wrote:
>
> > Dear NANOG-ers,
> >
> > I work for an information security company that is
> > dependant upon ICMP for network mapping purposes
> > (read: traceroute).  On or about August 18, we were
> > told, our upstream provider began blocking ICMP
> > packets at its border in the Chicago NAP in an effort
> > to cut down on the propagation of 'MSBlast'.  This has
> > effected our ability to accurately map our customers
> > networks.
> >
> > We've been in contact with an engineer in this
> > provider's NOC who is either unable or unwilling to
> > remove this ACL for our block of IPs.
> >
> > Currently, we've been given two options.  (1) Deal
> > with the effect of the ACL until 'MSBlast' traffic
> > subsides, or (2) they are willing to reroute our
> > traffic out of the Chicago NAP to a border router
> > that, they claim, does not have the same ACL.  The
> > problem with option 2 is that they would force us to
> > renumber.  This is a problem for us, as it would
> > impact our customers as well.
> >
> > What options can I take to my management that would
> > cause the least impact to the services we provide
> > while not causing undue work for our clients.  Also,
> > what other options could I suggest to my upstream
> > provider?
> >
> > TIA,
> >
> > C. Windon
> >
> > __________________________________
> > Do you Yahoo!?
> > The New Yahoo! Shopping - with improved product search
> > http://shopping.yahoo.com