> Neither is traceroute. Yet I'd hate to be without without either of
> them.
>
>

Agreed, that's why I said vital.

>
> Destination unreachable messages do quite a bit more than "notify the
> receiver to stop trying to connect", since they code field carries the
> information *why* the destination wasn't reached. Maybe that's not so
> important for joe.average@home, but it's pretty darn important for any
> network admin.
>
> What about "time exceeded"? What about "parameter problem"? What about
> "source quench"?
>

Yes, agreed, again, why I said the word 'vital'... And there are other
avenues at an admins disposal if those messages aren't allowed.

>
> > I don't see any ICMP messages that are a MUST for network operation.
>
> No, they're not a MUST. Connections can also just silently fail, leaving
> you as a network admin at a total loss as to *why* they're failing.
> Brilliant idea, really.
>

You can limit ICMP. It doesn't have to be everything on or everything
off. And I did say, as well as others, allow from trusted sources. The
issue is whether strong limits could be set on ICMP without destroying
the network and the answer is: yes.

>
> > That being said, if network monitoring is being done via SNMPv1 or v2
> > which isn't secure at all, ICMP is the least of your problems. I agree
> > with a few here that you allow ICMP from trusted to untrusted, but not
> > vice versa. And definitely NO ICMP from the Internet.
>
> What the heck is so freakin' scary about inbound echo requests? (to
> public IP addresses, that is)
>
> ICMP is not "teh evil(tm)". It's a part of the Internet Protocol suite,
> and it's there for a reason.

ICMP tunneling, host discovery to see if a device is active are two of
the issues with ICMP from the Internet. Flooding, though more rare
now, is still possible.

The idea is to limit your Internet footprint to make it as difficult
as possible for an attacker. There is no need for a web server to
respond to ping from the Internet for example.

I realize that some net admins are getting rather defensive on this
topic but there is no need. I believe a balance is required between
security and functionality and am not saying that ICMP should be
killed. Just limited. This is a security forum after all?

Try to remember, there is NO security built into the Internet Protocol
suite, which was developed in the 60's. Just because something is
there for a reason, doesn't mean it should not be subject to scrutiny.

-J

[ reply ]