So what are IP Unreachables (ICMP Unreachables) and why are they so bad?
The ICMP Unreachable is one of the many ICMP Error Messages.
Straight from the source - RFC 792 - specifies the details of ICMP. Let's have a look at the 8-bit "code" field in the ICMP Destination Unreachable Message:
0 = net unreachable;
1 = host unreachable;
2 = protocol unreachable;
3 = port unreachable;
4 = fragmentation needed and DF set;
5 = source route failed.
ICMP Unreachable Type 4 is needed to calculate the PMTUD
The Path MTU is the smallest MTU of all the links in a path. PMTUD (Path MTU Discovery) enables the automatic calculation of the optimal MTU that may be used across the end-to-end communication.
So if we imagine an ICMP Destination Unreachable Message with the type-field set to 4 - "fragmentation needed and DF set", this would probably be useful in scenarios where MTU is important, right?
The point is that PMTUD uses ICMP unreachables messages to see how "high it can go" on the path MTU without requiring fragmentation (ICMPs are sent with DF-bit on, and the reply dictates how the PMTU will be calculated).
So when ICMP Unreachables are blocked with the "no ip unreachables" command, PMTUD is broken which could be a very bad thing (this is sometimes referred to as PMTUD black-holing)
But it's hip to block ICMP Unreachables!
Of course it is. But how about knowing your network instad of following "guides" and deploying templates? Unfortunatly, the many of the "secure IOS templates" out there encourages the use of "no ip unreachables" and gospels it out as best practice. Even the Cisco "AutoSecure" feature disables ICMP Unreachable on all interfaces.
The Security aspect
Security-wise, this was probably a security recommendation as an attack exploiting this could exhaust the Router CPU because these types of ICMP messages are sent to the control plane to be processed in the CPU. There was a time when the CPUs of routers weren't as powerful as they are today.
In reality, the classic attack to exploit this "vulnerability" would be the well-known "smurf attack", which could bring down the router with the evil power of ICMP knowledge.
But does the fear of the smurf still apply in todays modern infrastructure, or did this threat die out with the mullet cut in the 80's? As a DoS attack, it is not very likely that a smurf attack would bring down your network today. But if we put our tinfoil hats on, an attacker could probably use it to ennumerate hosts on our network. So we should probably consider the security aspect on some of our routers, right?
The workarounds
Luckily, your network doesn't have to be either secure or functional. It can be both. Being paranoid about ICMP Unreachables is probably a good thing when implementing border routers facing the Internet.
It may also ease us to know that Cisco has actually implemented a default ICMP rate-limiting in IOS (google it). Probably another good reason not to worry about the DoS/CPU exhaustion aspect of this issue.
Configuration-wise, some workaround exists to mitigate these issues, and this has developed into a Service Provider "best practice" on CPE devices - it is to adjust the TCP MSS. The MSS is even adjusted by default in the Cisco ASA Platform. For more details on how MSS is affected by this issue, RFC 2923 is a good place to start.
In order to explicitly allow PMTUD, but still block other types of ICMP messages, one could do "permit icmp
Yes, this ACL would be more CPU-intensive than "no ip unreachables" applied to an interface, but we're not too worried about CPU anymore, right?
Other than that, there is also the "mls rate-limit unicast ip icmp unreachable acl-drop 0" command, which only drops unreachables when blocked by an ACL.
The Future
IPv6 alleviates these issues to a certain degree, and a newer initiative to adresse PMTUD black-holing is Packetization Layer Path MTU Discovery (PLPMTUD) as described in RFC 4821
The bottom line
So, will blocking ICMP Unreachables in your network cause the IETF to descend in black helicopters on your roof and tell you how bad it is? Probably not, but some of your applications mightstop working, so make sure you address the issue before those applications are deployed. Either that, or turn off your phone.
Recommended Further Reading:
http://www.cymru.com/Documents/icmp-messages.html
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml
http://www.nil.com/ipcorner/IP_Fragmentation/
No comments:
Post a Comment