ietf
[Top] [All Lists]

Re: Problem of blocking ICMP packets

2004-06-17 06:48:39
Any router configured to block ICMP packets is, quite simply,
in violation of RFC792 (STD5), which clearly states "ICMP is actually
an integral part of IP, and must be implemented by every IP module."
For a router, "implemented" means forwarded to the destinations next
hop.

So the fact is, by blocking ICMP, such ISPs have broken IP connectivity,
and can no longer claim to be providing Internet (IP) service.

<yawn> This debate has been going on since before I became a firewall
developer back in 1995...

Unfortunately, customers are more interested in a "usable" internet than a
"correct" one. As long as the bad guys keep abusing ICMP, we security people
will keep blocking it. The trick, therefore, is to convince the "block
everything" crowd to be selective about ICMP the same way they are selective
about (eg) TCP port numbers.

It's pretty easy these days to write good firewall rules that allow, for
example, Path MTU discovery to work.The "RELATED" state in Linux's iptables
rules is a good start...

-- 
Harald Koch chk(_at_)pobox(_dot_)com


_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf