Inflexible ICMP6 Error-limiting Considered Harmful
Ole Troan
ot@cisco.com
20 Jul 2001 12:13:16 +0100
yes, the purely interval based mechanism doesn't work too well. we
have implemented a slightly more clever mechanism. should be in the
next beta.
/ot
> Current Cisco IOS (12.2(2)T, and previous betas) rate-limit all icmp6
> error messages (including time exceeded and port unreachable) by default.
> The default _interval_ between error of any two messages is 500 msec.
>
> I guess this was added as a security measure (you can still pingflood the
> router without limits, though!), or to provide maximum CPU power to actual
> packet forwarding (I'd rather save the 0.1% for the system..).
>
> Unfortunately, this breaks traceroute pretty badly; I think the huge
> timeouts now associated with IPv6 do not paint a good picture about the
> reliability (even though the reality may be different). For example,
> tracerouting from a looking glass [http://www.ipv6.euronet.be/looking/]:
>
> 1 gate.ipv6.wanadoo.be (3ffe:8100:200:1fff::1) 1.736 ms * 1.927 ms
> 2 2001:658:0:1::1 (2001:658:0:1::1) 62.505 ms * 70.661 ms
> 3 2001:680:0:1::10 (2001:680:0:1::10) 72.154 ms * 71.249 ms
> 4 2001:680:0:1::3 (2001:680:0:1::3) 109.85 ms * 103.641 ms
> 5 ipv6.netcore.fi (2001:670:86::1) 153.934 ms 113.085 ms 115.128 ms
>
> Wonder which ones are Ciscos? That's right.
>
> I just love demonstrating IPv6 to people when something like this
> has been happening for years now..
>
> Of course, this can be "fixed" by disabling the rate-limiting
> completely with:
>
> ipv6 icmp error-interval 0
>
> (smaller values than 500, like 50 equally break traceroute for high-speed
> connectivity)
>
> Real fix would be to implement _error-rate_, in addition to
> _error-interval_ (with sane defaults). For example, if sampling period
> would be 100 ms and it would be acceptable to have 5 _packets_ per period,
> the potential denial of service attacks would be prevented but the
> traceroute, etc. functionality would still work.
>
> </rant>
>
> --
> Pekka Savola "Tell me of difficulties surmounted,
> Netcore Oy not those you stumble over and fall"
> Systems. Networks. Security. -- Robert Jordan: A Crown of Swords