Inflexible ICMP6 Error-limiting Considered Harmful

[Pekka Savola]

Hello all,

Current Cisco IOS (12.2(2)T, and previous betas) rate-limit all icmp6
error messages (including time exceeded and port unreachable) by default.
The default _interval_ between error of any two messages is 500 msec.

I guess this was added as a security measure (you can still pingflood the
router without limits, though!), or to provide maximum CPU power to actual
packet forwarding (I'd rather save the 0.1% for the system..).

Unfortunately, this breaks traceroute pretty badly; I think the huge
timeouts now associated with IPv6 do not paint a good picture about the
reliability (even though the reality may be different).  For example,
tracerouting from a looking glass [http://www.ipv6.euronet.be/looking/]:

 1  gate.ipv6.wanadoo.be (3ffe:8100:200:1fff::1)  1.736 ms *  1.927 ms
 2  2001:658:0:1::1 (2001:658:0:1::1)  62.505 ms *  70.661 ms
 3  2001:680:0:1::10 (2001:680:0:1::10)  72.154 ms *  71.249 ms
 4  2001:680:0:1::3 (2001:680:0:1::3)  109.85 ms *  103.641 ms
 5  ipv6.netcore.fi (2001:670:86::1)  153.934 ms  113.085 ms  115.128 ms

Wonder which ones are Ciscos? That's right.

I just love demonstrating IPv6 to people when something like this
has been happening for years now..

Of course, this can be "fixed" by disabling the rate-limiting
completely with:

ipv6 icmp error-interval 0

(smaller values than 500, like 50 equally break traceroute for high-speed
connectivity)

Real fix would be to implement _error-rate_, in addition to
_error-interval_ (with sane defaults).  For example, if sampling period
would be 100 ms and it would be acceptable to have 5 _packets_ per period,
the potential denial of service attacks would be prevented but the
traceroute, etc. functionality would still work.

</rant>

-- 
Pekka Savola                 "Tell me of difficulties surmounted,
Netcore Oy                   not those you stumble over and fall"
Systems. Networks. Security.  -- Robert Jordan: A Crown of Swords