[olug] VNC w/Qwest

Dave Hull dphull at gmail.com
Tue Oct 16 03:19:21 UTC 2007


On 10/15/07, Luke -Jr <luke at dashjr.org> wrote:

> ICMP is a network infrastructure protocol. Networking standards assume it is
> always in place. For example, DHCP uses pings to determine if an address is
> in use. IP autoconfiguration generally will not work at all without ICMP.
> Even if you do not need these standards, disabling ICMP is still broken.

In all of the configurations I've seen, DHCP servers are behind the
firewalls that block ICMP along with the hosts that they give
addresses to, so the DHCP servers are able to ping hosts as needed.
That said, I don't see very many DHCP servers that actually ping hosts
to determine if the address is in use. The RFCs say that the servers
MAY or SHOULD use ICMP to determine if an address is in use. It's not
required. In fact, if you check the ISC's DHCP server, you'll see
there's an option for turning off ping checks.

If you have a DHCP server that requires ICMP, you have a broken DHCP server.

Blocking ICMP at the border of your network is the same as blocking
any other protocol at the border of your network. If there's not a
defined business need for allowing a protocol in and out of your
network and there are security concerns related to that protocol, then
don't allow it.

If you're living in a world where ISPs are handing out /64s, where are
you living? Japan? IPv6 is (sadly) still a ways off for most of us.
This goes back to something a brilliant boss of mine used to say,
"Deployment wins." Unfortunately, IPv4 is deployed and it's working
for the vast majority of us. Going to IPv6 is like going to Vista,
there's no compelling need.

I did read something the other day that may change this, however.
Apparently the U.S. Government is mandating the adoption of IPv6 by
government run agencies. Anyone know anything more about this?

-- 
Dave Hull



More information about the OLUG mailing list