Hi, Yes ICMP is handled by the CPU of the PFE. We can check ICMP throttled at this level. As you said, a firewall filter at the interface level works. Thank you
Regards, David David Roy Orange France - RBCI IP Technical Assistance Center Tel. +33(0)299876472 Mob. +33(0)685522213 Email. david....@orange-ftgroup.com -----Message d'origine----- De : Richard A Steenbergen [mailto:r...@e-gerbil.net] Envoyé : vendredi 30 avril 2010 00:23 À : ROY David DTF/DERX Cc : juniper-nsp@puck.nether.net Objet : Re: [j-nsp] Disable ICMP Time Exceeded On Thu, Apr 29, 2010 at 05:04:20PM +0200, david....@orange-ftgroup.com wrote: > Hi all, > > Is-there a way to disable or rate-limit (in junos) the sending of ICMP > Time Exceeded when the box receives datagrams with a TTL expired. Not directly afaik. You could firewall packets that are about to TTL expire, so they never get processed in the first place. The ICMP generation is handled by the PFE CPU, so I'm not sure if a lo0 filter would affect that, but a physical interface filter should work. Usually the issue is the opposite from the hard coded ICMP generation rate limit which you can't tweak, i.e. as soon as some customer points a default route back at you and creates a small routing loop your router starts looking shitty in traceroute and even idiot on the Internet with mtr and/or visual traceroute descends upon your noc email/phone like a swarm of locusts. You haven't lived until you've received a complaint in the form of a windows desktop screenshot of a tracert.exe window embedded in a word document, zipped, with porn windows open in the background. -- Richard A Steenbergen <r...@e-gerbil.net> http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ********************************* This message and any attachments (the "message") are confidential and intended solely for the addressees. Any unauthorised use or dissemination is prohibited. Messages are susceptible to alteration. France Telecom Group shall not be liable for the message if altered, changed or falsified. If you are not the intended addressee of this message, please cancel it immediately and inform the sender. ******************************** _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
