[olug] VNC w/Qwest

Luke -Jr luke at dashjr.org
Tue Oct 16 00:52:25 UTC 2007


On Monday 15 October 2007, Christopher Cashell wrote:
> On 10/15/07, Luke -Jr <luke at dashjr.org> wrote:
> > ICMP is a network infrastructure protocol. Networking standards assume it
> > is always in place. For example, DHCP uses pings to determine if an
> > address is in use. IP autoconfiguration generally will not work at all
> > without ICMP. Even if you do not need these standards, disabling ICMP is
> > still broken.
>
> DHCP and IP autoconfiguration are local network technologies, and not
> intended to be used across disparate networks or the Internet.  

Well, I know of at least one case where blocking ICMP somehow prevented any 
internet access from working. Once ICMP was allowed, everything worked fine.

> Like it or not, blocking ICMP at a border firewall is a valid technique for
> increasing security,

I don't see how it is has any legitimate purpose.

> and in this day of NAT and connection sharing/pooling, it's very often
> impossible to fully support Internet responding ICMP for all hosts on a
> network.  

The day of NAT is gone. In this day of 128-bit addressing, every device should 
have a globally routable address and properly respond to ICMP.




More information about the OLUG mailing list