RE: ICMP

Subject: RE: ICMP
From: Christopher E. Brown (cbrown@woods.net)
Date: Thu Mar 21 2002 - 14:47:09 AKST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: FeLoNiouS MoNK: "LeeNocks distro's ...."
• Previous message: William F. Fulton: "Instructor needed"
• Maybe reply: Christopher E. Brown: "RE: ICMP"

On Thu, 21 Mar 2002, Larry Collier wrote:

> Ok, next question is what set(s) of circumstances would lead to generation
> of an ICMP type 3 packet being generated?
>
> My interest would be whether for ALL connections to my firewall, I should
> allow a response or just to some. My objective is to have the firewall
> respond only to those people I know and specifically allow and be invisible
> to everyone else.

The rule for a host is, If you talk IP to em you talk ICMP to em.

The rule for a transit router is, DONT BLOCK ICMP!

The rule for a border router is, If your hosts talk IP to em you let
them talk ICMP to em. You can block anything else.

If you want to block incoming echo request and traceroute packets this
is not a problem (and *you* can still ping outbound and traceping
outbound).

The *BIG* issue with Type 3 ICMP is routers and load balancers. Some
network admins (*even on transit networks*) put an ICMP block in their
access lists, when they really just want to stop ping. Many older
load balancers don't handle it correctly either.

Now, often there is no *perceived issue*. If the host, service, or
route is down the users always get a slow timeout instead of an
unreachable, but oh well. *BUT* When there is a route with a < 1500
octet MTU, or a parameter neg issue tween two IP stacks it breaks, big
time.

A server behind an ICMP block will work fine for someone on a PPPOE
based DSL service for small requests. *BUT* as soon as the server
sends a packet with a 1460 octet payload (+40 for IP header = 1500)
with the DF (DontFrag) bit set (normal) the nexttothelasthop router
(the DSL acess box you have a PVC to) cannot send the packet, it is to
large for PPPEO encap, so it sends a Type 3 Code 4 back to the server.
Only the server never gets it and the connection stalls forever.

A good example of this is tripod.com. Many of the servers (but not
all) that handle user sites are behind an ICMP block, if your path MTU
to them is < 1500, welcome to the realm of random transfer issues. :)

 --
I route, therefore you are.

• Next message: FeLoNiouS MoNK: "LeeNocks distro's ...."
• Previous message: William F. Fulton: "Instructor needed"
• Maybe reply: Christopher E. Brown: "RE: ICMP"

This archive was generated by hypermail 2a23 : Thu Mar 21 2002 - 15:07:07 AKST