[c-nsp] What MTU for Bellsouth BBG / BRAS <-> LNS l2TP tunnel ?

Gert Doering gert at greenie.muc.de
Tue Nov 2 16:49:48 EST 2004 

Hi,

On Tue, Nov 02, 2004 at 01:32:51PM -0800, Hudson Delbert J Contr 61 CS/SCBN wrote:
> here is why i have come to hate icmp.
> 
> the ICMP/Packet Internet Groper program or ping sends out ICMP Echo Request
> type=8 packets, and waits for an ICMP Echo Reply type=0 replies.
> 
> If the distant end is up, has an IP stack, and is not behind a device
> blocking ICMP echoes (a firewall),
> the echo reply will be received by your stack and presented to ping. so as
> one can see it indicates that
> thate theremote system is up and reachable. 

So?  

First of all, you can do that with just about any sort of packets, you're
not restricted to "ping" (like "send TCP SYNs to port 80").

Second, if you feel more secure that way, you can block ICMP echo
specifically, without breaking important parts of the IP protocol suite
(like "destination unreachable" ICMPs, or PMTUd).

Third, and not least, blocking ICMPs will not make your network *any* more
secure.  Not at all.  If you have a service running on a port that's
reachable from the Internet, and that service has a known vulnerability,
you're toast.  With or without Ping.  The number of worms that use ICMP
scanning is near zero (Nachi does this), compared to the zillion of worms
that use direct port scanning on the target service.

> to prevent scan many firewalls block both outbound request and inbound
> replies.

This is even worse - it means "if the network is broken, you take away
the ability to figure out *why* and *where*".

[..]
> source quench and Redirects adjust routing tables and as such should also
> never pass a firewall as they can be used to seed DoS and other blends.

no current stack cares for source quench :-)

redirects MUST only be honoured when being sent from directly adjacent
routers to hosts.  If proper anti-spoofing filters are in place, you
cannot send those packets from the outside.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de

More information about the cisco-nsp mailing list