Re: ICMP Packets.

["Don Kendrick" <dkendrick () mindspring com>]

Please see below for my reasoning...you may disagree, but here it is....

-----Original Message-----
From: Perry E. Metzger <perry () piermont com>
To: Don Kendrick <dkendrick () mindspring com>
Cc: perry () piermont com <perry () piermont com>; Toddb <toddb () pacifier com>;
firewall-wizards () nfr net <firewall-wizards () nfr net>
Date: Tuesday, June 02, 1998 4:01 PM
Subject: Re: ICMP Packets.


> "Don Kendrick" writes:
> > Agreed on the Path MTU stuff in theory thought it really depends what
kind
> > of traffic is going between the internal and external nets. For one, I'd
> > rather deny ICMP and suffer some on performance.
>
> Do you understand the actual consequences here?
>
> Someone trying to contact you is going to jack up their Path MTU and
> NOT get an ICMP message back, so their packets to you are going to go
> into space because they get frag'ed for really *loooong* periods of
> time until blackhole detection kicks in. Is that REALLY what you want
> for your network? Detecting the problem is going to be a bitch, too.
Here's where the physical comes into play...as I said, it depends what kind
of traffic and how it's set up.  If someone tries to crank up their Path MTU
I'm fairly confident that some place before it hits my external router, some
router somewhere in the path is going to have a lower MTU then what I can
handle. I'm expecting that those routers will have (and should have)
ICMP...these routers I think of as the "public Internet"...ISP and
backbones.

> If you filter ICMPs, you're also setting yourself up as an ideal
> network to have its IP addresses forged in someone's SYN flood attack
> on an innocent third party. No "Unreachable" messages means the poor
> victim is going to have to keep state for god knows how long while
> replying to a nonexistant host/port on your LAN. You are guaranteed to
> provide the bad guys with lots of fun.
Agreed, but how many of the SYN attack prevention patches use the
"Unreachables" to reset. Not trying to be smart...just asking, I really
don't know.

It also goes to the point of how many IP addresses you advertise to the
world and whether you own those IP addresses or they are are the ISP's.  In
my first post, I talked about the standard config of an external router
connected point to point to the ISP's router. Can't that ISP's router
provide the "unreachables" for the whole address space except for that very
small subnet of addresses that I advertise to the world?


> I've never understood why blocking ICMP was going to make you more
> secure in the first place. Lots of ICMP information is very valuable
> in making protocols run smoothly. Sure, some of it can be dangerous if
> it is misused, like redirects, but you should know what you are doing,
> not blindly block the whole protocol.
My main reason for doing it over a year ago was that I did not want anyone
mapping my external network as well as redirects. But it also has been
helpful in blocking some of these more recent attacks as well. I run ICMP
internally and also think it should be run externally, I just don't think
they should be mixed.

> Perry

My two cents....it has worked for me but then again I agree with Henry's
post on the topic...you have to do what's right for you in your situation.

Don