06-17-2018 11:16 PM - edited 03-08-2019 03:23 PM
Hello, I am considering using the command 'no ip unreachables' on my layer 3 interfaces to improve security. However then I would be unable to get traceroute information from those interfaces which I find very useful.
I was wondering what do most network engineers choose i.e. the extra security of using 'no ip unreachables' or the convenient functionality of traceroute ?
Solved! Go to Solution.
06-18-2018 12:42 AM
Hello,
I think disabling ip unreachables is somewhat obsolete; it used to be disabled mainly to reduce CPU usage, but in present devices, it isn't really an issue anymore. The most important negative effect of disabling ip unreachables is that it breaks path MTU discovery.
The link below has a pretty good explanation for why it is not a good idea to disable it:
https://njetwork.wordpress.com/2014/02/06/no-ip-unreachables-no-path-mtu-discovery/
06-18-2018 02:28 AM - edited 06-19-2018 01:05 AM
Hello
Disabling unreachables in conjunction with the rtrs default icmp rate limiting is deemed to help negate against DOS attacks.
Icmp’s unreachable packets are used when a destination to a specific network, host, protocol, or port is unreachable.
The router or host may send a destination unreachable packet to inform its source of the ip packets destinations unavailability.
You can negate ALL destination unreachables packets on a routed interface by disabling them, and as such the source wouldn’t even be notified of the unreachable network. host, port etc…
sh ip int x/x | in ICMP
ICMP redirects are always sent
ICMP unreachables are always sent
Int x/x
no ip unreacbales
sh ip int x/x | in ICMP
ICMP redirects are never sent
ICMP unreachables are never sent
As stated there can occurrences when the ip packet needs to be fragmented to be forwarded by the router but the DF bit in the packet is set then the source would then receive a destination unreachable message from the router if icmp unreachable are disabled and the packet won’t be sent
However my understanding is you can specify what type of unreachables are negated by specifying them in the form of a access-list.
access-list 100 deny icmp any any ?
<0-255> ICMP message type
administratively-prohibited Administratively prohibited
alternate-address Alternate address
conversion-error Datagram conversion
dod-host-prohibited Host prohibited
dod-net-prohibited Net prohibited
dscp Match packets with given dscp value
echo Echo (ping)
echo-reply Echo reply
fragments Check non-initial fragments
general-parameter-problem Parameter problem
host-isolated Host isolated
host-precedence-unreachable Host unreachable for precedence
host-redirect Host redirect
host-tos-redirect Host redirect for TOS
host-tos-unreachable Host unreachable for TOS
host-unknown Host unknown
host-unreachable Host unreachable
information-reply Information replies
information-request Information requests
log Log matches against this entry
log-input Log matches against this entry, including input
interface
mask-reply Mask replies
mask-request Mask requests
mobile-redirect Mobile host redirect
net-redirect Network redirect
net-tos-redirect Net redirect for TOS
net-tos-unreachable Network unreachable for TOS
net-unreachable Net unreachable
network-unknown Network unknown
no-room-for-option Parameter required but no room
option-missing Parameter required but not present
packet-too-big Fragmentation needed and DF set
parameter-problem All parameter problems
port-unreachable Port unreachable
precedence Match packets with given precedence value
precedence-unreachable Precedence cutoff
protocol-unreachable Protocol unreachable
reassembly-timeout Reassembly timeout
redirect All redirects
router-advertisement Router discovery advertisements
router-solicitation Router discovery solicitations
source-quench Source quenches
source-route-failed Source route failed
time-exceeded All time exceededs
time-range Specify a time-range
timestamp-reply Timestamp replies
timestamp-request Timestamp requests
tos Match packets with given TOS value
traceroute Traceroute
ttl-exceeded TTL exceeded
unreachable All unreachables
ICMP type 3 packets have many codes associated with them but I would say code 0 -1 are the most common messages, please review the following rfc to obtain a better understanding
06-18-2018 12:42 AM
Hello,
I think disabling ip unreachables is somewhat obsolete; it used to be disabled mainly to reduce CPU usage, but in present devices, it isn't really an issue anymore. The most important negative effect of disabling ip unreachables is that it breaks path MTU discovery.
The link below has a pretty good explanation for why it is not a good idea to disable it:
https://njetwork.wordpress.com/2014/02/06/no-ip-unreachables-no-path-mtu-discovery/
06-18-2018 02:28 AM - edited 06-19-2018 01:05 AM
Hello
Disabling unreachables in conjunction with the rtrs default icmp rate limiting is deemed to help negate against DOS attacks.
Icmp’s unreachable packets are used when a destination to a specific network, host, protocol, or port is unreachable.
The router or host may send a destination unreachable packet to inform its source of the ip packets destinations unavailability.
You can negate ALL destination unreachables packets on a routed interface by disabling them, and as such the source wouldn’t even be notified of the unreachable network. host, port etc…
sh ip int x/x | in ICMP
ICMP redirects are always sent
ICMP unreachables are always sent
Int x/x
no ip unreacbales
sh ip int x/x | in ICMP
ICMP redirects are never sent
ICMP unreachables are never sent
As stated there can occurrences when the ip packet needs to be fragmented to be forwarded by the router but the DF bit in the packet is set then the source would then receive a destination unreachable message from the router if icmp unreachable are disabled and the packet won’t be sent
However my understanding is you can specify what type of unreachables are negated by specifying them in the form of a access-list.
access-list 100 deny icmp any any ?
<0-255> ICMP message type
administratively-prohibited Administratively prohibited
alternate-address Alternate address
conversion-error Datagram conversion
dod-host-prohibited Host prohibited
dod-net-prohibited Net prohibited
dscp Match packets with given dscp value
echo Echo (ping)
echo-reply Echo reply
fragments Check non-initial fragments
general-parameter-problem Parameter problem
host-isolated Host isolated
host-precedence-unreachable Host unreachable for precedence
host-redirect Host redirect
host-tos-redirect Host redirect for TOS
host-tos-unreachable Host unreachable for TOS
host-unknown Host unknown
host-unreachable Host unreachable
information-reply Information replies
information-request Information requests
log Log matches against this entry
log-input Log matches against this entry, including input
interface
mask-reply Mask replies
mask-request Mask requests
mobile-redirect Mobile host redirect
net-redirect Network redirect
net-tos-redirect Net redirect for TOS
net-tos-unreachable Network unreachable for TOS
net-unreachable Net unreachable
network-unknown Network unknown
no-room-for-option Parameter required but no room
option-missing Parameter required but not present
packet-too-big Fragmentation needed and DF set
parameter-problem All parameter problems
port-unreachable Port unreachable
precedence Match packets with given precedence value
precedence-unreachable Precedence cutoff
protocol-unreachable Protocol unreachable
reassembly-timeout Reassembly timeout
redirect All redirects
router-advertisement Router discovery advertisements
router-solicitation Router discovery solicitations
source-quench Source quenches
source-route-failed Source route failed
time-exceeded All time exceededs
time-range Specify a time-range
timestamp-reply Timestamp replies
timestamp-request Timestamp requests
tos Match packets with given TOS value
traceroute Traceroute
ttl-exceeded TTL exceeded
unreachable All unreachables
ICMP type 3 packets have many codes associated with them but I would say code 0 -1 are the most common messages, please review the following rfc to obtain a better understanding
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide