1. 22

  2. 13

    The problem is there are far too many “security” people in the world who don’t know what ICMP does who think it needs to be blocked network-wide to satisfy some byzantine pen-test report that was created by some other “security” people who also don’t know what ICMP does. Don’t block ICMP. Seriously.

    1. 2

      I think it’s the legacy of the ‘ping of death’. But you know 1997 was such a long time ago.

      1. 1

        As a “security” guy, the reason ICMP (more specifically ping) is typically blocked is because it makes recon too easy. Most things in security is just making it harder to attack to the point where either it’s not worth it or it takes so long and generates so much noise that the attacker gets caught by automated defenses. If you ping sweep the network, you now have a map of everything on that network, their address, and the system type. That’s a lot of valuable info that the target just gave you essentially for free.

        It’s not about the ping of death. It’s about not telling strangers on the street your home address and the type of lock installed on your front door.

        Edit: that’s not to say I’m arguing for blocking ICMP. Just explaining why some people recommend it. It’s a far more nuanced subject than I’ve explained above.

    2. 9

      You know the old saying … if your article asks a question in the headline the answer is “no.”

      1. 4

        Or: “well, it’s a complex topic, let’s say ‘it depends’”

      2. 3

        Reminds me of an old post.

        1. 2

          I recently found that IPv6 HTTP traffic was unable to flow to my OpenBSD bytemark VPS (on a /56 netmask) unless I allow ICMP6 through the packet filter.

          Perhaps someone knows why that might be?

          FWIW, the bytemark docs are here: https://docs.bytemark.co.uk/article/finding-your-ipv6-address/

          1. 5

            And just as I posted this, I received an email from Bytemark saying that they’d updated their docs in light of my support request. The docs now say:

            The role of ICMP has changed a little for IPv6. If your firewall has a default policy of deny then you may struggle to get traffic to or from your server without allowing traffic for certain ICMPv6 types. Types 1 – destination unreachable, 2 – Packet too big, 3 – Time exceeded and 4 – Parameter problem, for reporting errors to other devices. Types 128 – echo request, 129 – echo reply, for testing connectivity. Types 133 – Router Solicitation, 134 – Router Advertisement, 135 – Neighbor Solicitation, 136 – Neighbor Advertisement, for neighbour discovery. More information can be found at Wikipedia.

            So if you are having routing/visibility problems with IPv6, then ICMP might be your problem!

            Good show Bytemark.

            1. 2
            2. 5

              ICMP6 takes the role of ARP (neighbor discovery). If you block it, you’ve just removed the ability for any other v6 nodes on the local network from being able to see you.

              1. 1

                I’ve done some experimenting with determining the maximum MTU in IPv6 for an UDP application and if your host doesn’t process ICMPv6 Packet Too Big messages you’ll never be able to learn how to reach the other side in cases where your packets are too big (since v6 routers don’t fragment). These packets are effectively black holed.