Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

no ip unreachables

Hi,

What are the consequences of disabling IP unreachables?

With in the context of device hardening it is recommended to disable this.

However, I've also read that this could affect PMTUD and sending of "packet too big" messages.

What are your experiences in this regard? Also your point of view please.

Thanks

8 REPLIES
Hall of Fame Super Silver

Re: no ip unreachables

Ranil

ICMP message type 3 is an unreachable message. Within this message type are a number of "codes" which define various types of messages. This table is from IANA and shows the various types:

3 Destination Unreachable [RFC792]

Codes

0 Net Unreachable [RFC792]

1 Host Unreachable [RFC792]

2 Protocol Unreachable [RFC792]

3 Port Unreachable [RFC792]

4 Fragmentation Needed and Don't [RFC792]

Fragment was Set [RFC792]

5 Source Route Failed [RFC792]

6 Destination Network Unknown [RFC1122]

7 Destination Host Unknown [RFC1122]

8 Source Host Isolated [RFC1122]

9 Communication with Destination [RFC1122]

Network is Administratively Prohibited

10 Communication with Destination Host is [RFC1122]

Administratively Prohibited

11 Destination Network Unreachable for Type [RFC1122]

of Service

12 Destination Host Unreachable for Type of [RFC1122]

Service

13 Communication Administratively Prohibited [RFC1812]

14 Host Precedence Violation [RFC1812]

15 Precedence cutoff in effect [RFC1812]

As you can see the Fragmentation Needed but Do Not Fragment is one of those. So yes PMTUD will be impacted when you configure no unreachables.

Also since the Cisco/Unix traceroute is based on sending UDP packets and looking for the Port Unreachable message to indicate that the probe has reached the destination, then disabling unreachables will break the traceroute.

From a security standpoint when you harden a device you want to minimize the amount of information that the device provides about itself to others and disabling unreachables helps achieve this. But from the standpoint of things that help our network work better the unreachable is helpful.

So you have two different points of view and their position on unreachables. So which is more important hardening devices with reducing information that they provide or helping the network to run better?

[edit] for anyone who would be interested here is a link to the ICMP message types and codes:

http://www.iana.org/assignments/icmp-parameters

HTH

Rick

New Member

Re: no ip unreachables

Thanks so much for sharing your knowledge Rick.

Any other ideas and experiences on this please?

Hall of Fame Super Silver

Re: no ip unreachables

Ranil

I find it unfortunate that disabling unreachables impacts the things that it does. A part of me would like to keep them enabled. But several of my customers have policies that as a standard we should disable unreachables. And from the standpoint of wanting to tighten up security I agree with the position of no ip unreachable.

HTH

Rick

New Member

Re: no ip unreachables

Yes, Rick. However, I suppose that this decision is based on the domain of interest.

For instance, when private peering is involved it would be interesting to have unreachables enabled, until end-to-end network reachability is validated. Later on, one can think of hardening the device(security).

With in the domain of Internet routing, I'm not quite sure whether there's a standard practice. As you've mentioned already this may be dependent on the policies of each AS admin.

New Member

Re: no ip unreachables

Disabling ICMP unreachables can have an adverse effect in VPN scenarios. VPNs have extra packet overhead due to encryption so the source needs to know to send smaller packets if the packet size becomes too large to be sent over WAN. Here PMTUD comes in handy. If it is disabled along the path on any of the routers then the source will never know what packet size to send and the packets will get dropped. This is a Black Hole Router problem. Same can be said about the non-VPN traffic too. Most badly hit applications due to this problem over VPN are Citrix and MS Outlook. Best way to avoid this on VPNs is to adjust IP MTU and TCPMSS on the VPN gateway device where the tunnels are terminated. Usually all Providers have ICMP Unreachables enabled. It is good to have it enabled to avoid the problems discussed. I have experienced these problems a lot.

New Member

Re: no ip unreachables

Thanks a lot for sharing your experiences Raman.

New Member

Re: no ip unreachables

IP unreachable can be either the physical layer(UTP cable) is faulty, or Router not in powered condition , or the switch configuration pertaining to duplex mismatch / speed. or IP mismatch

New Member

Re: no ip unreachables

Hi,

Wouldn't it be a better idea to have ip unreachables enabled but rate limited, so that it would guarantee the security also to a certain extent.

Ref: PMTUD section of,

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml#intro

P.S. Some one has rated one of the posts with 1. In my opinion, the poster has misunderstood the original query and should not have been rated. It would have been better if he/she had been just clarified regarding the same, rather than rating as "Not helpful".

1257
Views
30
Helpful
8
Replies
CreatePlease to create content