Inflexible ICMP6 Error-limiting Considered Harmful
Pekka Savola
pekkas@netcore.fi
Tue, 17 Jul 2001 21:55:01 +0300 (EEST)
Hello all,
Current Cisco IOS (12.2(2)T, and previous betas) rate-limit all icmp6
error messages (including time exceeded and port unreachable) by default.
The default _interval_ between error of any two messages is 500 msec.
I guess this was added as a security measure (you can still pingflood the
router without limits, though!), or to provide maximum CPU power to actual
packet forwarding (I'd rather save the 0.1% for the system..).
Unfortunately, this breaks traceroute pretty badly; I think the huge
timeouts now associated with IPv6 do not paint a good picture about the
reliability (even though the reality may be different). For example,
tracerouting from a looking glass [http://www.ipv6.euronet.be/looking/]:
1 gate.ipv6.wanadoo.be (3ffe:8100:200:1fff::1) 1.736 ms * 1.927 ms
2 2001:658:0:1::1 (2001:658:0:1::1) 62.505 ms * 70.661 ms
3 2001:680:0:1::10 (2001:680:0:1::10) 72.154 ms * 71.249 ms
4 2001:680:0:1::3 (2001:680:0:1::3) 109.85 ms * 103.641 ms
5 ipv6.netcore.fi (2001:670:86::1) 153.934 ms 113.085 ms 115.128 ms
Wonder which ones are Ciscos? That's right.
I just love demonstrating IPv6 to people when something like this
has been happening for years now..
Of course, this can be "fixed" by disabling the rate-limiting
completely with:
ipv6 icmp error-interval 0
(smaller values than 500, like 50 equally break traceroute for high-speed
connectivity)
Real fix would be to implement _error-rate_, in addition to
_error-interval_ (with sane defaults). For example, if sampling period
would be 100 ms and it would be acceptable to have 5 _packets_ per period,
the potential denial of service attacks would be prevented but the
traceroute, etc. functionality would still work.
</rant>
--
Pekka Savola "Tell me of difficulties surmounted,
Netcore Oy not those you stumble over and fall"
Systems. Networks. Security. -- Robert Jordan: A Crown of Swords