[149769] in North American Network Operators' Group
Re: Common operational misconceptions
daemon@ATHENA.MIT.EDU (Chuck Anderson)
Wed Feb 15 18:04:08 2012
Date: Wed, 15 Feb 2012 18:02:58 -0500
From: Chuck Anderson <cra@WPI.EDU>
To: nanog@nanog.org
Mail-Followup-To: nanog@nanog.org
In-Reply-To: <CAJWBqEtLH60sXTRQ=ppP9-XVV56OeJ1hMtKancCyW_hQ1=9teA@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Wed, Feb 15, 2012 at 04:51:44PM -0600, Anton Kapela wrote:
> On Wed, Feb 15, 2012 at 4:36 PM, Chuck Anderson <cra@wpi.edu> wrote:
> > ICMP is bad, and should be completely blocked for "security".
>
> I can't tell if this reply is to say "this ought to be done" or if
> "this is often done, and should not be."
>
> Clarify?
This thread is about misconceptions. What I said was a common
misconception that "all ICMP should be blocked for security reasons".
In reality, some kinds of ICMP are REQUIRED for proper functioning of
an internetwork for things like Path MTU Discovery (ICMP Fragmentation
Needed/Packet Too Big). Other kinds of ICMP are good to allow for
being nice to the users and applications by informing them of an error
immediately rather than forcing them to wait for a timeout (ICMP
Destination Unreachable).
