[olug] VNC w/Qwest

Luke -Jr luke at dashjr.org
Tue Oct 16 14:14:33 UTC 2007 

On Monday 15 October 2007, Dave Hull wrote:
> On 10/15/07, Luke -Jr <luke at dashjr.org> wrote:
> > ICMP is a network infrastructure protocol. Networking standards assume it
> > is always in place. For example, DHCP uses pings to determine if an
> > address is in use. IP autoconfiguration generally will not work at all
> > without ICMP. Even if you do not need these standards, disabling ICMP is
> > still broken.
>
> In all of the configurations I've seen, DHCP servers are behind the
> firewalls that block ICMP along with the hosts that they give
> addresses to, so the DHCP servers are able to ping hosts as needed.

Like I said, your argument "defeats" the DHCP example. But it was just an 
example. And even if you carefully were to avoid breaking stuff you use, it 
is still wrong.

> That said, I don't see very many DHCP servers that actually ping hosts
> to determine if the address is in use. The RFCs say that the servers
> MAY or SHOULD use ICMP to determine if an address is in use. It's not
> required. In fact, if you check the ISC's DHCP server, you'll see
> there's an option for turning off ping checks.

The fact that they MAY or SHOULD use ICMP to determine if an address is in use 
at least implies that ICMP should always be a valid means to discover this.

> If you have a DHCP server that requires ICMP, you have a broken DHCP
> server.

"MAY" or "SHOULD" does not mean "SHOULD NOT".

> Blocking ICMP at the border of your network is the same as blocking
> any other protocol at the border of your network. If there's not a
> defined business need for allowing a protocol in and out of your
> network and there are security concerns related to that protocol, then
> don't allow it.

Network debugging is always a need.
There are no security concerns related to ICMP.

> If you're living in a world where ISPs are handing out /64s, where are
> you living? Japan? IPv6 is (sadly) still a ways off for most of us.

Every IPv4 address includes at least one /48 IPv6 subnet. I think two, but I 
could be wrong (maybe even more). IPv4 address aaa.bbb.ccc.ddd includes IPv6 
subnet 2002:aabb:ccdd::/48, including automatic routing around IPv4-only 
routers. If I ping 2002:your:ipv4::1, you *will* see it in tcpdump (unless 
your ISP is evil and explicitly blocks it).

More information about the OLUG mailing list