[olug] VNC w/Qwest

Dave Hull dphull at gmail.com
Tue Oct 16 15:14:52 UTC 2007


On 10/16/07, Luke -Jr <luke at dashjr.org> wrote:
> On Monday 15 October 2007, Dave Hull wrote:
> > If you have a DHCP server that requires ICMP, you have a broken DHCP
> > server.
>
> "MAY" or "SHOULD" does not mean "SHOULD NOT".

You are correct. But what the RFCs don't say (and some others do) is
"MUST" which means it's required for the protocol to work. Without it,
you don't have the protocol defined in the RFC. DHCP does not require
ICMP.

> Network debugging is always a need.

Correct. But we're talking about blocking ICMP at the border of your
network. It's still allowed internally and firewalls can be configured
to allow ICMP between certain hosts on either side of the firewall. If
I'm troubleshooting a network problem that traverses the border of my
network, I can have ICMP opened up to the external network in question
to aid my troubleshooting, but opening it up to the world is a really
bad idea.

> There are no security concerns related to ICMP.

I am trying to say this as gently as I can. You are obviously not a
security practitioner. There are security implications with allowing
ICMP unfettered in and out of your network. Very little study will be
required on your part to find out why this is so. Even if you accept
(most rational people wouldn't) that it's not a security problem that
unrestricted ICMP allows external entities to map your entire network,
you don't have to look very hard to find security issues related to
ICMP. Go search the CVE database for ICMP. You'll find 70 entries in
their database and a handful of them are relatively recent. Granted
these may not all be problems with the protocol itself, but with the
implementation in some particular device, but the fact remains that
the exploits are carried out by means of ICMP.

To say that there are no security concerns related to ICMP is to show
your ignorance about security. There are security concerns with
virtually everything in modern information systems.

-- 
Dave Hull



More information about the OLUG mailing list