Firewall Wizards mailing list archives
Re: ICMP Packets. I think stopping ICMP is, in general, a very bad idea. Among other things, you totally screw up Path MTU discovery, and you make it hard to trace network problems. The Path MTU breakage is especially bad -- it will, among other things, impact your network performance.
From: Steve Bellovin <smb () research att com>
Date: Wed, 03 Jun 1998 10:01:09 -0400
In fact, it's not at all clear to me that Path MTU helps performance (see subsection 'Big Packets or Small' of section 24.2 of Stevens Vol. I for a summary of my arguments). But that isn't the real point -- the real point is that blocking Path MTU messages can break connectivity. Assume that you're sending large packets towards some endpoint, with the DF bit on (per the Path MTU spec). If the packet size exceeds the MTU of some link past your firewall, the packet will be discarded and an ICMP packet returned. If that packet is blocked, you'll never be notified, and the connection will fail. The same argument applies in the reverse direction, if you block outgoing ICMP messages. And the Path MTU problem will become more severe as ipsec is deployed. On the other hand, there have been problems for years with ICMP attack programs. Most of these derive their power from broken host stacks, that accept ICMP packets without verifying the port number portions. There seems to be no good solution (other than application gateways) other than fixing such broken hosts.
Current thread:
- Re: ICMP Packets. I think stopping ICMP is, in general, a very bad idea. Among other things, you totally screw up Path MTU discovery, and you make it hard to trace network problems. The Path MTU breakage is especially bad -- it will, among other things, impact your network performance. Steve Bellovin (Jun 03)