ietf
[Top] [All Lists]

Re: Problem of blocking ICMP packets

2004-06-16 13:34:45
On Wed, 16 Jun 2004 11:23:44 EDT, Mike S said:

Any router configured to block ICMP packets is, quite simply,
in violation of RFC792 (STD5), which clearly states "ICMP is actually 
an integral part of IP, and must be implemented by every IP module." 
For a router, "implemented" means forwarded to the destinations next
hop.

So the fact is, by blocking ICMP, such ISPs have broken IP connectivity, 
and can no longer claim to be providing Internet (IP) service.

Be careful there - that's uncomfortably close to saying that every firewall
in existence is in violation of the RFCs, because they intentionally don't
make a best-effort attempt to deliver every packet (I know of no vendors
whos gear *can't* forward ICMP - but know plenty that provide knobs
to prevent it under administrative control (i.e. a firewall))...

An even more annoying problem is when our site sends a packet with
the DF bit set, it hits a tunnel near the far end - and the ICMP returned
has an RFC1918 source address (You tier-1 and tier-2 who number their
links out of 1918 know who you are..;).  The ICMP is then dropped on
the return path by a router properly implementing martian filtering...

Attachment: pgp9z7SYjcRM3.pgp
Description: PGP signature

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf