Re: ICMP Packets.

["Paul D. Robertson" <proberts () clark net>]

On Wed, 3 Jun 1998, Perry E. Metzger wrote:

> > But it also has been helpful in blocking some of these more recent
> > attacks as well.
>
> Which "some of these more recent attacks" would those be?

Smurf and its ilk would proabably top the list.

> > I run ICMP internally and also think it should be run externally, I
> > just don't think they should be mixed.
>
> IP is an end to end protocol. ICMP is an integral part of IP. If you
> allow IP through a network device, you have to allow ICMP to follow
> it.

No, you don't *have* to allow ICMP, it depends on what traffic is 
necessary, and where things are going on.  TCP path MTU discovery depends 
totally on the MTUs of your network topology.  Unreachables depend on 
your and the remote end's tolerance for retrys.

It is perfectly possible to block ICMP, it just has ramifications that 
most folks don't think about.  Application layer gateways can help limit 
the scope of where you allow ICMP if your topology or tolerances need 
some part of it to function, but it's also possible to block it for 
entire AS'.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () clark net      which may have no basis whatsoever in fact."
                                                                     PSB#9280