Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2372
Views
30
Helpful
8
Replies

no ip unreachables

rsgamage1
Level 3
Level 3

‎08-26-2008 08:28 AM - edited ‎03-03-2019 11:16 PM

Hi,

What are the consequences of disabling IP unreachables?

With in the context of device hardening it is recommended to disable this.

However, I've also read that this could affect PMTUD and sending of "packet too big" messages.

What are your experiences in this regard? Also your point of view please.

Thanks

Labels:
0 Helpful
8 Replies 8

Richard Burts
Hall of Fame
Hall of Fame

‎08-26-2008 08:44 AM

Ranil

ICMP message type 3 is an unreachable message. Within this message type are a number of "codes" which define various types of messages. This table is from IANA and shows the various types:

3 Destination Unreachable [RFC792]

Codes

0 Net Unreachable [RFC792]

1 Host Unreachable [RFC792]

2 Protocol Unreachable [RFC792]

3 Port Unreachable [RFC792]

4 Fragmentation Needed and Don't [RFC792]

Fragment was Set [RFC792]

5 Source Route Failed [RFC792]

6 Destination Network Unknown [RFC1122]

7 Destination Host Unknown [RFC1122]

8 Source Host Isolated [RFC1122]

9 Communication with Destination [RFC1122]

Network is Administratively Prohibited

10 Communication with Destination Host is [RFC1122]

Administratively Prohibited

11 Destination Network Unreachable for Type [RFC1122]

of Service

12 Destination Host Unreachable for Type of [RFC1122]

Service

13 Communication Administratively Prohibited [RFC1812]

14 Host Precedence Violation [RFC1812]

15 Precedence cutoff in effect [RFC1812]

As you can see the Fragmentation Needed but Do Not Fragment is one of those. So yes PMTUD will be impacted when you configure no unreachables.

Also since the Cisco/Unix traceroute is based on sending UDP packets and looking for the Port Unreachable message to indicate that the probe has reached the destination, then disabling unreachables will break the traceroute.

From a security standpoint when you harden a device you want to minimize the amount of information that the device provides about itself to others and disabling unreachables helps achieve this. But from the standpoint of things that help our network work better the unreachable is helpful.

So you have two different points of view and their position on unreachables. So which is more important hardening devices with reducing information that they provide or helping the network to run better?

[edit] for anyone who would be interested here is a link to the ICMP message types and codes:

http://www.iana.org/assignments/icmp-parameters

HTH

Rick

HTH

Rick

rsgamage1
Level 3
Level 3
In response to Richard Burts

‎08-26-2008 12:59 PM

Thanks so much for sharing your knowledge Rick.

Any other ideas and experiences on this please?

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to rsgamage1

‎08-26-2008 01:25 PM

Ranil

I find it unfortunate that disabling unreachables impacts the things that it does. A part of me would like to keep them enabled. But several of my customers have policies that as a standard we should disable unreachables. And from the standpoint of wanting to tighten up security I agree with the position of no ip unreachable.

HTH

Rick

HTH

Rick

rsgamage1
Level 3
Level 3
In response to Richard Burts

‎08-27-2008 05:08 AM

Yes, Rick. However, I suppose that this decision is based on the domain of interest.

For instance, when private peering is involved it would be interesting to have unreachables enabled, until end-to-end network reachability is validated. Later on, one can think of hardening the device(security).

With in the domain of Internet routing, I'm not quite sure whether there's a standard practice. As you've mentioned already this may be dependent on the policies of each AS admin.

0 Helpful

rkalia1
Level 1
Level 1

‎08-27-2008 10:58 AM

Disabling ICMP unreachables can have an adverse effect in VPN scenarios. VPNs have extra packet overhead due to encryption so the source needs to know to send smaller packets if the packet size becomes too large to be sent over WAN. Here PMTUD comes in handy. If it is disabled along the path on any of the routers then the source will never know what packet size to send and the packets will get dropped. This is a Black Hole Router problem. Same can be said about the non-VPN traffic too. Most badly hit applications due to this problem over VPN are Citrix and MS Outlook. Best way to avoid this on VPNs is to adjust IP MTU and TCPMSS on the VPN gateway device where the tunnels are terminated. Usually all Providers have ICMP Unreachables enabled. It is good to have it enabled to avoid the problems discussed. I have experienced these problems a lot.

rsgamage1
Level 3
Level 3
In response to rkalia1

‎08-27-2008 01:02 PM

Thanks a lot for sharing your experiences Raman.

0 Helpful

Geetha
Level 1
Level 1

‎08-27-2008 11:27 PM

IP unreachable can be either the physical layer(UTP cable) is faulty, or Router not in powered condition , or the switch configuration pertaining to duplex mismatch / speed. or IP mismatch

rsgamage1
Level 3
Level 3
In response to Geetha

‎08-29-2008 12:08 AM

Hi,

Wouldn't it be a better idea to have ip unreachables enabled but rate limited, so that it would guarantee the security also to a certain extent.

Ref: PMTUD section of,

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml#intro

P.S. Some one has rated one of the posts with 1. In my opinion, the poster has misunderstood the original query and should not have been rated. It would have been better if he/she had been just clarified regarding the same, rather than rating as "Not helpful".

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card