no ip unreachables

Unanswered Question
Aug 26th, 2008


What are the consequences of disabling IP unreachables?

With in the context of device hardening it is recommended to disable this.

However, I've also read that this could affect PMTUD and sending of "packet too big" messages.

What are your experiences in this regard? Also your point of view please.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.9 (7 ratings)
Richard Burts Tue, 08/26/2008 - 08:44


ICMP message type 3 is an unreachable message. Within this message type are a number of "codes" which define various types of messages. This table is from IANA and shows the various types:

3 Destination Unreachable [RFC792]


0 Net Unreachable [RFC792]

1 Host Unreachable [RFC792]

2 Protocol Unreachable [RFC792]

3 Port Unreachable [RFC792]

4 Fragmentation Needed and Don't [RFC792]

Fragment was Set [RFC792]

5 Source Route Failed [RFC792]

6 Destination Network Unknown [RFC1122]

7 Destination Host Unknown [RFC1122]

8 Source Host Isolated [RFC1122]

9 Communication with Destination [RFC1122]

Network is Administratively Prohibited

10 Communication with Destination Host is [RFC1122]

Administratively Prohibited

11 Destination Network Unreachable for Type [RFC1122]

of Service

12 Destination Host Unreachable for Type of [RFC1122]


13 Communication Administratively Prohibited [RFC1812]

14 Host Precedence Violation [RFC1812]

15 Precedence cutoff in effect [RFC1812]

As you can see the Fragmentation Needed but Do Not Fragment is one of those. So yes PMTUD will be impacted when you configure no unreachables.

Also since the Cisco/Unix traceroute is based on sending UDP packets and looking for the Port Unreachable message to indicate that the probe has reached the destination, then disabling unreachables will break the traceroute.

From a security standpoint when you harden a device you want to minimize the amount of information that the device provides about itself to others and disabling unreachables helps achieve this. But from the standpoint of things that help our network work better the unreachable is helpful.

So you have two different points of view and their position on unreachables. So which is more important hardening devices with reducing information that they provide or helping the network to run better?

[edit] for anyone who would be interested here is a link to the ICMP message types and codes:



rsgamage1 Tue, 08/26/2008 - 12:59

Thanks so much for sharing your knowledge Rick.

Any other ideas and experiences on this please?

Richard Burts Tue, 08/26/2008 - 13:25


I find it unfortunate that disabling unreachables impacts the things that it does. A part of me would like to keep them enabled. But several of my customers have policies that as a standard we should disable unreachables. And from the standpoint of wanting to tighten up security I agree with the position of no ip unreachable.



rsgamage1 Wed, 08/27/2008 - 05:08

Yes, Rick. However, I suppose that this decision is based on the domain of interest.

For instance, when private peering is involved it would be interesting to have unreachables enabled, until end-to-end network reachability is validated. Later on, one can think of hardening the device(security).

With in the domain of Internet routing, I'm not quite sure whether there's a standard practice. As you've mentioned already this may be dependent on the policies of each AS admin.

rkalia1 Wed, 08/27/2008 - 10:58

Disabling ICMP unreachables can have an adverse effect in VPN scenarios. VPNs have extra packet overhead due to encryption so the source needs to know to send smaller packets if the packet size becomes too large to be sent over WAN. Here PMTUD comes in handy. If it is disabled along the path on any of the routers then the source will never know what packet size to send and the packets will get dropped. This is a Black Hole Router problem. Same can be said about the non-VPN traffic too. Most badly hit applications due to this problem over VPN are Citrix and MS Outlook. Best way to avoid this on VPNs is to adjust IP MTU and TCPMSS on the VPN gateway device where the tunnels are terminated. Usually all Providers have ICMP Unreachables enabled. It is good to have it enabled to avoid the problems discussed. I have experienced these problems a lot.

rsgamage1 Fri, 08/29/2008 - 00:08


Wouldn't it be a better idea to have ip unreachables enabled but rate limited, so that it would guarantee the security also to a certain extent.

Ref: PMTUD section of,

P.S. Some one has rated one of the posts with 1. In my opinion, the poster has misunderstood the original query and should not have been rated. It would have been better if he/she had been just clarified regarding the same, rather than rating as "Not helpful".


This Discussion