Raffy:
[extract from rfc 1122]: Interesting... I never read this RFC... I'm on it right now.
quoted from RFC section Echo server and Echo client |3.2.2.6 |x| | | | | What is echo server and echo client? 3.2.2.6 Echo Request/Reply: RFC-792 Every host MUST implement an ICMP Echo server function that receives Echo Requests and sends corresponding Echo Replies. A host SHOULD also implement an application-layer interface for sending an Echo Request and receiving an Echo Reply, for diagnostic purposes.
Pass Echo Reply to higher layer |3.2.2.6 |x| | | | | Pass Echo Reply to higher layer? Meaning in the IP stack, right?
3.2.2.6 Echo Request/Reply: RFC-792 (...) Echo Reply messages MUST be passed to the ICMP user interface, unless the corresponding Echo Request originated in the IP layer.
OSI layer diagram: (quoted from my Memory - e.g. may be wrong / different) -Top- ?? Application: HTTP/FTP ???: ICMP/TCP transportation: IP ??? : Ether ?? -Bottom- So this means not the IP layer but the application layer
So why is there this big discussions about what ICMP a firewall should allow? This document tells you which ones?
3.2.2.6 Echo Request/Reply: RFC-792 (...) An ICMP Echo Request destined to an IP broadcast or IP multicast address MAY be silently discarded. DISCUSSION: This neutral provision results from a passionate debate between those who feel that ICMP Echo to a broadcast address provides a valuable diagnostic capability and those who feel that misuse of this feature can too easily create packet storms.
Conclusion: So I should implement my gateway/firewall to discard such incoming ICMP requests, right? No other host could now how I subnetted my network. I can not decide if an outgoing ICMP-request is legal (i.e. if 10.0.1.0 is a host or network. But their router can be configured from their administrator) Peter