Subject: Re: SOLVED! The cause of puzzling TCP (eg. WHOIS) connection failures with some InterNIC.net hosts
To: NetBSD Networking Technical Discussion List <tech-net@netbsd.org>
From: Greg A. Woods <woods@most.weird.com>
List: tech-net
Date: 11/22/1998 12:46:50
[ On Sun, November 22, 1998 at 10:22:00 (-0500), Perry E. Metzger wrote: ]
> Subject: Re: SOLVED! The cause of puzzling TCP (eg. WHOIS) connection failures with some InterNIC.net hosts
>
> There is no valid reason to disable receipt of the particular ICMP
> messages in question. None. Zero. Zip. In general, disabling ICMP is
> actually quite a bad idea, but if we just restrict it to the question
> of the messages associated with Path MTU discovery, there is *no*
> valid security concern being addressed by blocking those messages.
>
> If you can name one, I'd like to hear it. Remember, I'm talking about
> only the messages associated with Path MTU, not any other ICMP messages.
Indeed!
If some brain-dead security officer (who still wields a big stick, for
unknown reasons) wants to filter "all ICMP" but still wants to let TCP
connections through (which might fail because of his first decision)
then the firewall *could* be made smart enough to automatically allow
ICMP error replies back in from the target address of all open (and
opening) TCP connections regardless of trying to enforce the first rule.
If ICMP is really to be treated as part of the infrastructure then I
suppose firewalls should manage it as such.
The problem is really one of education. Very few books (possibly
Stevens "TCP/IP Illustrated" sets are the exception) talk incessantly
about how ICMP fits into the big picture. I've talked to all kinds of
very smart network administrators (some of whom know the TCP/IP state
diagram inside out -- in far more detail than I do), and yet who cannot
fathom why ICMP is important to the basic operation of the Internet.
They're truely stuck on the idea that ICMP is another protocol just
above IP (and some even say it's similar to UDP).
--
Greg A. Woods
+1 416 218-0098 VE3TCP <gwoods@acm.org> <robohack!woods>
Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>