data center - Ashburn Consulting LLC

This is a draft guide to handling ICMP securely.

Guide Analysis to Handling ICMP protocol

Summary:

This guide is an attempt to help answer common questions related to the handling of ICMP protocol in a secure and effective manner. Comments and feedback is always welcomed. This article is meant to cover the major area in which there may be questions on how to handle ICMP and what specifically should we allow in each particular condition which will also allow for effective risk mitigation. If you need specifics on ICMP codes with in each ICMP type please refer to the reference URLs below.

Major ICMP Protocol Types:

– 0: Echo Reply

– 3: Destination Unreachable

– 4: Source Quench

– 5: Redirect (change a route)

– 8: Echo Request

– 9: Router Advertisement

– 10: Router Solicitation

– 11: Time Exceeded for a Datagram

– 12: Parameter Problem on a Datagram

– 13: Timestamp Request

– 14: Timestamp Reply

– 17: Address Mask Request

– 18: Address Mask Reply

Areas of Affect:

Perimeter

Outbound: Echo Reply (0), Echo Request (8) (For Troubleshooting)

Deny Type: All except (TTL Exceed (11) & (Type 3, Code 4) From Limited External Testing Devices.

Interior (Corporate Network)

Internal Deny: Should be handled on a case by case basis, however when permissible squelch Redirect (5), Router Advertisement (9), Router Solicitation (10), Timestamp Request (13), Timestamp Reply (14). Address Mask Request (17), and Address Mask Reply (18). The usefulness of the ICMP message types are deprecated by DHCP and NTP.

Internal Allow: Echo Reply (0), Destination Unreachable (3 Code 4), Echo Request (8), Time Exceeded (11)

Remote Access & Site to Site VPN

VPN Allow: Echo Reply (0), Destination Unreachable (3, Code 4), and Echo Request (8).

VPN Deny: Everything Else

Intranet to Intranet / Partner to Partner

Intranet to Intranet Allow: Echo Reply (0), Destination Unreachable (3 Code 4), Echo Request (8), Time Exceeded (11)

Intranet to Intranet Deny: Everything Else

References:

PMTU

http://www.tcpipguide.com/free/t_IPDatagramSizetheMaximumTransmissionUnitMTUandFrag-4.htm

ICMP

http://www.tcpipguide.com/free/t_ICMPv4TimestampRequestandTimestampReplyMessages-3.htm

University of Syracuse ICMP Lecture Notes

In a 6509, 7609 or any Chassis based Cisco switch, to determine where the switch forwards a Source and Destination pair to an actual port in a Port-channel/Etherchannel do the following commands:

Note: Doesn’t apply to Nexus switches.

First enter console for switch:

port-channel hash

Switch# remote login switch
Trying Switch ...
Entering CONSOLE for Switch

Then enter the following command:

port-channel hash

Switch-SP# test etherchannel load-balance interface port-channel 1 ip 10.1.1.1 10.1.1.2
Computed RBH: 0x6
Would select Gi2/1 of Po1

Based on the hash computation, the switch forwards traffic of the Src Dst pair to port Gi2/1.

This is a good tool to use if for some reason a particular port is dropping packets between the src and dst pairs.

Blogs

Category: data center

ICMP Security

Layer 2 Tracing for (6500, 7609, 4500) Cisco Switches

OUR CLIENTS SAY IT BEST