Re: GLBX ICMP rate limiting (was RE: Tier-1 without their own backbone?)

[Jared Mauch <jared () puck Nether net>]

On Thu, Aug 28, 2003 at 01:23:40PM +0100, variable () ednet co uk wrote:
> On Wed, 27 Aug 2003, jlewis () lewis org wrote:
>
> > We have a similarly sized connection to MFN/AboveNet, which I won't
> > recommend at this time due to some very questionable null routing they're
> > doing (propogating routes to destinations, then bitbucketing traffic sent
> > to them) which is causing complaints from some of our customers and
> > forcing us to make routing adjustments as the customers notice
> > MFN/AboveNet has broken our connectivity to these destinations.
>
> We've noticed that one of our upstreams (Global Crossing) has introduced 
> ICMP rate limiting 4/5 days ago.  This means that any traceroutes/pings 
> through them look awful (up to 60% apparent packet loss).  After 
> contacting their NOC, they said that the directive to install the ICMP 
> rate limiting was from the Homeland Security folks and that they would not 
> remove them or change the rate at which they limit in the foreseeable 
> future.

        I guess this depends on the type of
interconnect you have with them.  If you're speaking across
a public-IX or private (or even paid) peering link, this doesn't
seem unreasonable that they would limit traffic to a particular
percentage across that circuit.

        I think the key is to determine what is 'normal' and what
obviously constitutes an out of the ordinary amount of ICMP traffic.

        If you're a customer, there's not really a good reason
to rate-limit your icmp traffic.  customers tend to notice and
gripe.  they expect a bit of loss when transiting a peering
circuit or public fabric, and if the loss is only of icmp they
tend to not care.  This is why when I receive escalated tickets
I check using non-icmp based tools as well as using icmp
based tools.

> What are other transit providers doing about this or is it just GLBX?

here's one of many i've posted in the past, note it's also
related to securing machines.

http://www.ultraviolet.org/mail-archives/nanog.2002/0168.html

        I recommend everyone do such icmp rate-limits on their
peering circuits and public exchange fabrics to what is a 'normal'
traffic flow on your network.  The above message from the archives
is from Jan 2002, if these were a problem then and still are now,
perhaps people should either 1) accept that this is part of normal
internet operations, or 2) decide that this is enough and it's time
to seriously do something about these things.

        - Jared

-- 
Jared Mauch  | pgp key available via finger from jared () puck nether net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.