Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 17 Jan 1999 19:47:06 -0500
From:      Christian Kuhtz <ck@adsu.bellsouth.com>
To:        Matthew Dillon <dillon@apollo.backplane.com>
Cc:        Christian Kuhtz <ck@adsu.bellsouth.com>, "Daniel O'Callaghan" <danny@hilink.com.au>, Justin Wolf <jjwolf@bleeding.com>, ben@rosengart.com, "N. N.M" <madrapour@hotmail.com>, freebsd-security@FreeBSD.ORG
Subject:   Re: Small Servers - ICMP Redirect
Message-ID:  <19990117194706.H97318@oreo.adsu.bellsouth.com>
In-Reply-To: <199901180030.QAA54407@apollo.backplane.com>; from Matthew Dillon on Sun, Jan 17, 1999 at 04:30:56PM -0800
References:  <007701be4256$f01ff740$02c3fe90@cisco.com> <Pine.BSF.3.96.990118085344.15297A-100000@enya.clari.net.au> <19990117185047.A97318@oreo.adsu.bellsouth.com> <199901180030.QAA54407@apollo.backplane.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Jan 17, 1999 at 04:30:56PM -0800, Matthew Dillon wrote:
>     ICMP is definitely not just a diagnostic tool, and it is put to good use
>     in a properly configured network.    For example, Path MTU Discovery
>     uses ICMP ( RFC 1191 ).  ICMP is not something you want to arbitrarily
>     filter.  At the very least you want to let through the various 
>     unreachability messages.

#ifndef _RUNAWAY_-CURRENT_THREAD

Nothing is broken by not getting host unreachable messages.  Nothing breaks by 
not permitting traceroutes (port unreachable et al).  Sure, path MTU discovery 
according to RFC1191 is nice, but not vital.  Argueably, there are other
much bigger bottlenecks over WANs (at the edge of which firewalls are typically
used) than suboptimal MRUs.

Many service providers filter and/or rate limit ICMP messages (to prevent 
SMURF amplification et al to cause havoc to their infrastructures).  To build 
applications which _rely exclusively_ on ICMP to work is close to grossly 
negligent.  Those that do are primarily diagnostic applications.

I didn't say ICMP is an optional component of IP.  This was in the context
of firewalls.  Some schools of firewall design insist that only absolutely
required traffic pass the firewall.  As such, turning ICMP off at the firewall
is perhaps not the prettiest or whatever way to do it, but it certainly
prevents the various exploits based on ICMP.

#endif /* _RUNAWAY_-CURRENT_THREAD */

There is no such thing as a free lunch.  Security doesn't come without a 
price.  In fact, I am required to trade slight performance and convenience
for security.  And so are many others.  That is where the question and my
response originated.

If you aren't part of that group...  use IP to the fullest and ignore this
thread.

Cheers,
Chris

-- 
  "We are not bound by any concept, we are just bound to make any concept work 
   better than others."                                  --  Dr. Ferry Porsche

[Disclaimer: I speak for myself and my views are my own and not in any way to
             be construed as the views of BellSouth Corporation. ]

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990117194706.H97318>