Follow

Issue / Solution: ICMP Exceptions For Path-MTU Discovery Allowing ICMP Code 3 Type 4 Messages

Description

Symptoms

After initial implementation of the DDoS protection service routed mode with GRE Tunnels, traffic flow feels slower and/or some connections do not work properly or fail to establish, such as:

  • some SSL sessions fail to establish
  • some slowness is observed when loading some sites
  • some sites respond with a connection timeout or error

Technical Issue

Possible issue could be with: Path MTU Discovery (PMTUD),

  • Silverline uses Path MTU Discovery (PMTUD), which is the Internet’s way of packet size optimization when an interface along the path to the destination is too small for a packet sent.
  • PMTUD is a standardized technique for determining the MTU size on the network path between two hosts, usually with the goal of avoiding IP fragmentation. 

The issue would look like this:

  1. Client A sends packet to Client B.
  2. Client B's router uses PMTUD (if configured) to alert the sender of this issue by responding with an ICMP Code 3 Type 4 (telling sender "need to fragment" or "can't accept large packet") packet.
    • Note: If a packet with a Don't Fragment bit (DF-bit) set reaches a router in which the packet is too large to be forwarded, the router will drop the packet and reply to Client A with an ICMP Code 3 type 4. If this is the issue: 
      • Client A should receive this message and accordingly adjust the MTU for the session. 
      • Dropping this ICMP reply will cause Client A to not receive this request to change MTU. Client A will continue to transmit packets with no response from Client B.
  3. If Client A's computer or network is blocking ICMP traffic, Client B's PMTUD doesn’t work properly.  PMTUD requires that the sender can receive ICMP Code 3 type 4 packets (destination unreachable)
  4. Client A will continue to transmit packets with no response from Client B.

 

Environment

  • Silverline DDoS
    • Routed

 

Cause

Blocking all ICMP for security reasons causes PMTUD to fail to function. 

 

Resolution

Permit ICMP code 3 code messages ingress to the network, allowing Path-MTU Discovery to function.

Other considerations:

  • If stateful firewall policies by default allow ICMP Type 3 Code 4 messages automatically, you do not need to have filter rules allowing the ICMP Type 3 Code 4.
  • If stateless firewall policies are used then ICMP Type 3 Code 4 statements are needed to allow for PMTUD.

Example firewall statements allowing ICMP Type 3 code 4 for message exception:

  • Juniper
    • family inet {
          filter ingress-filter {
                term block-frags {
                    from
                          is-fragment;
                          protocol icmp;
                    }
                    then {
                          syslog;
                          discard;
                    }
                }
                term icmp-allow-in {
                    from {
                          destination-address {
                              10.100.100.0/30;
                      }  
                    then {
                          accept;
                    }
              term icmp-PMTUD-allow-in {
                    from {
                          protocol icmp;
                          icmp-type [ unreachable ];
                          icmp-code [ fragmentation-needed ];
                    }
                    then {
                          accept;
                    }
                }       
                }
                term icmp-deny-in {
                    from {
                          protocol icmp;
                    }
                    then {
                          syslog;
                          discard;
                    }
                }
            }
      }
  • Cisco
    • ip access-group 100 in


      ! Specifically block ICMP fragments

      access-list 100 deny icmp any any fragments log

      ! Allow inbound ping response to edge interface

      access-list 100 permit icmp any host 10.100.100.32 echo-reply

      ! Allow inbound ping response to public server interface

      access-list 100 permit icmp any host 10.100.200.30 echo-reply

      ! Allow Path MTU to function

      access-list 100 permit icmp any any packet-too-big

      ! Allow flow control

      access-list 100 permit icmp any any source-quench

      ! Allow bad header message to return

      access-list 100 permit icmp any any parameter-problem

      ! And explicitly block all other ICMP packets

      access-list 100 deny icmp any any log

 

Related Content

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request