Security Basics mailing list archives
Re: Removing ping/icmp from a network
From: "Michael Painter" <tvhawaii () shaka com>
Date: Thu, 27 Mar 2008 19:02:23 -1000
----- Original Message ----- From: "Jason Thompson" <securitux () gmail com>
To: <security-basics () securityfocus com> Sent: Wednesday, March 26, 2008 4:55 AM Subject: Re: Removing ping/icmp from a network [snip]
I don't see any ICMP messages that are a MUST for network operation.<<
From: http://en.wikipedia.org/wiki/PMTU"Many "security" devices incorrectly block all ICMP messages, including the errors that are necessary for PMTUD to work. This can result in connections that complete the TCP three-way handshake correctly, but then hang when data is transferred. This state is referred to as a "black hole connection".
Some implementations of PMTUD now try to work around this by inferring that large payload packets have been dropped due to MTU rather than because of link congestion. However, in order for TCP to operate most efficiently, ICMP unreachables (type 3) should be permitted."
http://www.netheaven.com/pmtu.html"Newer servers try to optimize their transmissions by discovering the path MTU and sending packets of the maximum size when there's enough data to fill them. The procedure for doing this was standardized and published as RFC 1191 in 1990, but it did not become widely deployed until years later. By mid 2002, 80% to 90% of computers on the internet used path MTU discovery.
The basic procedure is simple - send the largest packet you can, and if it won't fit through some link get back a notification saying what size will fit. The notifications arrive as ICMP (Internet Control Message Protocol) packets known as "fragmentation needed" ICMPs (ICMP type 3, subtype 4). The notifications are requested by setting the "do not fragment" (DF) bit in packets that are sent out."
Current thread:
- Re: Removing ping/icmp from a network, (continued)
- Re: Removing ping/icmp from a network Michael Painter (Mar 28)
- Re: Removing ping/icmp from a network Ansgar -59cobalt- Wiechers (Mar 28)
- Re: Removing ping/icmp from a network Michael Painter (Mar 31)
- RE: Removing ping/icmp from a network Ric Messier (Mar 28)
- RE: Removing ping/icmp from a network Adewale, Akin (IT Services - Infosec Team) (Mar 28)
- RE: Removing ping/icmp from a network Craig Wright (Mar 28)
- Re: Removing ping/icmp from a network Ansgar -59cobalt- Wiechers (Mar 28)
- Re: Removing ping/icmp from a network Jason (Mar 28)
- Re: Removing ping/icmp from a network Ansgar -59cobalt- Wiechers (Mar 31)
- Re: Removing ping/icmp from a network Jon R. Kibler (Mar 26)
- Re: Removing ping/icmp from a network Jason (Mar 26)