Re: Removing ping/icmp from a network

["Michael Painter" <tvhawaii () shaka com>]

----- Original Message ----- 
From: "Jason Thompson" <securitux () gmail com>
To: <security-basics () securityfocus com>
Sent: Wednesday, March 26, 2008 4:55 AM
Subject: Re: Removing ping/icmp from a network

[snip]

> > I don't see any ICMP messages that are a MUST for network operation.<<


From:
http://en.wikipedia.org/wiki/PMTU

"Many "security" devices incorrectly block all ICMP messages, including the errors that are necessary for PMTUD to work. 
This can result in connections that complete the TCP three-way handshake correctly, but then hang when data is 
transferred. This state is referred to as a "black hole connection".

Some implementations of PMTUD now try to work around this by inferring that large payload packets have been dropped due to 
MTU rather than because of link congestion. However, in order for TCP to operate most efficiently, ICMP unreachables (type 
3) should be permitted."


http://www.netheaven.com/pmtu.html

"Newer servers try to optimize their transmissions by discovering the path MTU and sending packets of the maximum size 
when there's enough data to fill them. The procedure for doing this was standardized and published as RFC 1191 in 1990, 
but it did not become widely deployed until years later. By mid 2002, 80% to 90% of computers on the internet used path 
MTU discovery.

The basic procedure is simple - send the largest packet you can, and if it won't fit through some link get back a 
notification saying what size will fit.  The notifications arrive as ICMP (Internet Control Message Protocol) packets 
known as "fragmentation needed" ICMPs (ICMP type 3, subtype 4).  The notifications are requested by setting the "do not 
fragment" (DF) bit in packets that are sent out."