Is there a way to protect a network from the malicious use of ICMP without breaking PathMTU or disabling ping and traceroute? I usually do not add the no ip unreachables command on interfaces within my inside network but do have it on all of my interfaces on the internet facing routers. I already have an infrastructure ACL on my BGP interface set to deny all icmp packets but that is applied in the IN direction only. I'm doing a review of the config in preperation for routine maintenance and looking for some ideas.