Questions about ICMP

[Lamar Owen]

On Saturday 08 December 2007, John Summerfield wrote:
> This http://www.cisco.com/warp/public/707/21.html has a section on Flood
> Management. Read it, it doesn't apply to many on this list.

One thing even this document misses about high-end cisco routers is that you 
do want to throttle pings to the loopback interface; it is possible to 
overload a Cisco 12012's GRP, for instance, with high-rate pings from a high 
speed interface interface (I've done that to ours through an OC12 SRP/DPT 
connection, but the OC3 I have to the Internet isn't quite big enough to do 
it).  

The distributed nature of that beast (and the 7500 series, as well as the 
6500/7600 series) means the router is handling at times a hundred or a 
thousand times the bandwidth that the CPU on the route processor could 
handle.  Well, essentially anything that would force a dCEF platform to drop 
to process switching on a >OC3 interface would do, but pinging the loopback 
is pretty close (which is why the loopbacks typically have tight ACL's and 
QoS setups to prevent RP CPU overload).

But the same is true for many of the layer 2 Catalysts when pinging the 
management port (sc0); a SupIII or IIIG on a Catalyst 5500, for instance, can 
be brought to its knees by hitting hard on sc0 (CPU overload on a layer 2 
catalyst can really wreak havoc with spanning tree, which can pull your 
entire layer 2 network down hard when BPDU's get missed).

On Linux, you're not likely to bring a box to its knees with pings, even on 
Gigabit interfaces, because the box's throughput isn't typically large enough 
to allow it.

However, I've found that the preemptive kernel (the PlanetCCRMA low latency 
one was what I tested) on my Dell 640m can be easily brought to its knees 
with any high interrupt load; the stock kernel doesn't exhibit this behavior.
-- 
Lamar Owen
Chief Information Officer
Pisgah Astronomical Research Institute
1 PARI Drive
Rosman, NC  28772
(828)862-5554
www.pari.edu