RE: [suse-security] Skitter.ORG
This could be not as good idea since RFC1122 says that every host connected to the Internet must answer to icmp echo requests.
Help me on this: [extract from rfc 1122]: | | | | |S| | | | | | |H| |F | | | | |O|M|o | | |S| |U|U|o | | |H| |L|S|t | |M|O| |D|T|n | |U|U|M| | |o | |S|L|A|N|N|t | |T|D|Y|O|O|t FEATURE |SECTION | | | |T|T|e ICMP Echo Request or Reply: | | | | | | | Echo server and Echo client |3.2.2.6 |x| | | | | Echo client |3.2.2.6 | |x| | | | Discard Echo Request to broadcast address |3.2.2.6 | | |x| | | Discard Echo Request to multicast address |3.2.2.6 | | |x| | | Use specific-dest addr as Echo Reply src |3.2.2.6 |x| | | | | Send same data in Echo Reply |3.2.2.6 |x| | | | | Pass Echo Reply to higher layer |3.2.2.6 |x| | | | | Reflect Record Route, Time Stamp options |3.2.2.6 | |x| | | | Reverse and reflect Source Route option |3.2.2.6 |x| | | | | What is echo server and echo client? Pass Echo Reply to higher layer? Meaning in the IP stack, right? So in short, every host and gateway should implement PING? Even firewalled hosts? So why is there this big discussions about what ICMP a firewall should allow? This document tells you which ones? I am lost... Thanks Raffy
Raffy:
[extract from rfc 1122]: Interesting... I never read this RFC... I'm on it right now.
quoted from RFC section Echo server and Echo client |3.2.2.6 |x| | | | | What is echo server and echo client? 3.2.2.6 Echo Request/Reply: RFC-792 Every host MUST implement an ICMP Echo server function that receives Echo Requests and sends corresponding Echo Replies. A host SHOULD also implement an application-layer interface for sending an Echo Request and receiving an Echo Reply, for diagnostic purposes.
Pass Echo Reply to higher layer |3.2.2.6 |x| | | | | Pass Echo Reply to higher layer? Meaning in the IP stack, right?
3.2.2.6 Echo Request/Reply: RFC-792 (...) Echo Reply messages MUST be passed to the ICMP user interface, unless the corresponding Echo Request originated in the IP layer.
OSI layer diagram: (quoted from my Memory - e.g. may be wrong / different) -Top- ?? Application: HTTP/FTP ???: ICMP/TCP transportation: IP ??? : Ether ?? -Bottom- So this means not the IP layer but the application layer
So why is there this big discussions about what ICMP a firewall should allow? This document tells you which ones?
3.2.2.6 Echo Request/Reply: RFC-792 (...) An ICMP Echo Request destined to an IP broadcast or IP multicast address MAY be silently discarded. DISCUSSION: This neutral provision results from a passionate debate between those who feel that ICMP Echo to a broadcast address provides a valuable diagnostic capability and those who feel that misuse of this feature can too easily create packet storms.
Conclusion: So I should implement my gateway/firewall to discard such incoming ICMP requests, right? No other host could now how I subnetted my network. I can not decide if an outgoing ICMP-request is legal (i.e. if 10.0.1.0 is a host or network. But their router can be configured from their administrator) Peter
Hi, At 12:01 05/01/01 +0100, Raffy wrote:
This could be not as good idea since RFC1122 says that every host connected to the Internet must answer to icmp echo requests.
Lets get this in perspective. Its STD0003 but look at the date: 1 Oct 1989. It may be worth checking out the STANDARD for an update. Back then networking was in its infancy and most people's security concerns revolved around internet worms and brute force attacks. Read "The Cuckoo's Egg" if you are interested. The question really is "Is it relevant today?" and the answer is "no". There are now many good reasons for denying echo and few for accepting. BTW these reasons existed back in 89 but there was neither the connectivity nor the knowledge of how to exploit them. Besides which we all had RIP which was far better at creating packet storms by itself than a ping exploit :-). John
participants (3)
-
John Trickey -
Peter Wiersig -
Raffy