ICMP (was: Re: keys.gnupg.net - Refresh all public keys never completes in) Enigmail, some servers down?

[Doug Barton]

On Aug 15, 2014, at 8:46 AM, Aaron Toponce <aaron.toponce at gmail.com> wrote:

> On Thu, Aug 14, 2014 at 05:13:08PM +0100, OmegaPhil wrote:
>> Fair point, although that would be a network misconfiguration as
>> ping/ICMP is required for network troubleshooting, packet fragmentation
>> stuff etc (for reference I'm testing from a dedicated line that I control).
> 
> Blocking ICMP is not a network misconfiguration at all. ICMP echo requests are
> intentionally blocked to prevent a number of ICMP-related attacks:
> 
>    * ICMP floods
>    * ICMP nukes
>    * ICMP smurfs
>    * ICMP "ping of death"
> 
> Also, most Cisco routers do not put priority on ICMP packets. It's very common
> for Cisco to drop ICMP while processing other protocols on very busy networks.
> 
> The best way to troubleshoot a problem to a network server, is to use the
> protocol you're having issues with, check BGP routes, ARP entries, DNS, etc.
> While ping(1) is certainly a great tool to have, it should be only one of the
> many tools in your network troubleshooting toolbox.

Blocking all ICMP has always been a misconfiguration. As “OmegaPhil” pointed out there are several types of ICMPv4 that are required for the proper operation of the network. The most important is PMTUD, but there are others that are also important, and are not DOS vectors (and never have been). 

In IPv6 ICMP is required, period. There is no RFC-compliant configuration with ICMP disabled, and disabling it will severely break your network. Of course a lot more thought has gone into not building the DOS vectors into the protocol design in the first place, so it’s a very different animal. :)

Of course this is wildly off-topic, and I apologize if anyone is unappreciative of my little rant. But the whole “we must block ICMP, for the security!” thing has been a sore point for me going on 20 years now. 

Doug