[extract from rfc 1122]: Interesting... I never read this RFC... I'm on it right now.
Don't have too much time, should probably also do that *g*
quoted from RFC section Echo server and Echo client |3.2.2.6 |x| | | | | What is echo server and echo client? 3.2.2.6 Echo Request/Reply: RFC-792 Every host MUST implement an ICMP Echo server function that receives Echo Requests and sends corresponding Echo Replies. A host SHOULD also implement an application-layer interface for sending an Echo Request and receiving an Echo Reply, for diagnostic purposes.
Seems nice. But if I block that at the firewall. I mean the host implemented it, but I block it :-) Honestly, I guess I will have to allow PING through the firewall, although, I DON'T LIKE THAT! What are other people's thoughts?
Pass Echo Reply to higher layer |3.2.2.6 |x| | | | | Pass Echo Reply to higher layer? Meaning in the IP stack, right?
3.2.2.6 Echo Request/Reply: RFC-792 (...) Echo Reply messages MUST be passed to the ICMP user interface, unless the corresponding Echo Request originated in the IP layer.
I phrased my question wrong... Anyway. Let me help you with the OSI model:
OSI layer diagram: (quoted from my Memory - e.g. may be wrong / different) -Top-
Application is the TOP
Application: HTTP/FTP ???: ICMP/TCP
SESSION
transportation: IP ??? : Ether
DataLink! Lowest layer ist Physical Layer!
3.2.2.6 Echo Request/Reply: RFC-792 (...) An ICMP Echo Request destined to an IP broadcast or IP multicast address MAY be silently discarded. DISCUSSION: This neutral provision results from a passionate debate between those who feel that ICMP Echo to a broadcast address provides a valuable diagnostic capability and those who feel that misuse of this feature can too easily create packet storms.
Conclusion: So I should implement my gateway/firewall to discard such incoming ICMP requests, right?
You should block ICMP to the broadcast address in every case. This is the source for a lot of DOS attacks. Because it would generate quite some network traffic (all the machines in the subnet would PONG)
No other host could now how I subnetted my network. I can not decide if an outgoing ICMP-request is legal (i.e. if 10.0.1.0 is a host or network. But their router can be configured from their administrator)
What do you mean? Raffy
Raffy:
Pass Echo Reply to higher layer |3.2.2.6 |x| | | | | Pass Echo Reply to higher layer? Meaning in the IP stack, right?
Application is the TOP ???: ICMP/TCP transportation: IP ??? : Ether
Yes, so the echo reply should be passed to the application layer not to the IP-Stack (which is somewhere lower, if I'm right) I think this requirement has to do with user feedback or that the data-sending application get to nkow something went wrong.
3.2.2.6 Echo Request/Reply: RFC-792
Conclusion: So I should implement my gateway/firewall to discard such incoming ICMP requests, right?
You should block ICMP to the broadcast address in every case. This is the source for a lot of DOS attacks. Because it would generate quite some network traffic (all the machines in the subnet would PONG)
I agree with that. See my explanation below
No other host could now how I subnetted my network. I can not decide if an outgoing ICMP-request is legal (i.e. if 10.0.1.0 is a host or network. But their router can be configured from their administrator) What do you mean? Raffy
I mean I could only DENY incoming ICMP-echo requests, not also my outgoing requests. I can not say if 10.0.0.127 is a host or a broadcast adress. Their netmask may be 255.255.255.128 and so with this netmask, .127 is a broadcast-address. I was thinking if all provdiers could stop packet storm at the outgoing routers. But they can't. So if all administrators would drop incoming ICMP-echo requests to local broadcasts adresses packet storm wouldn't be possible.
participants (2)
-
Peter Wiersig -
Raffy