Add a little more info on ICMP
This commit is contained in:
unixdigest parent feb9d6f69e
commit db7a2ddf5c
1 changed files with 2 additions and 2 deletions
| | @ -18,7 +18,7 @@ | |||
<td> | ||||
<h1 class="title">OpenBSD Router Guide</h1> | ||||
<h4>Network segmenting firewall, DHCP, DNS with Unbound, domain blocking and much more<br> | ||||
<span style="font-size:x-small;font-weight:initial;">OpenBSD: 6.8 · Published: 2020-11-05 · Updated: 2020-11-10 · Version: 1.3.0</span> | ||||
<span style="font-size:x-small;font-weight:initial;">OpenBSD: 6.8 · Published: 2020-11-05 · Updated: 2020-11-10 · Version: 1.3.1</span> | ||||
</h4> | ||||
</td> | ||||
</tr> | ||||
| | @ -413,7 +413,7 @@ block drop in quick inet from 192.168.3.1 to any<br> | |||
<p>We are allowing <a href="https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol">ICMP</a> in our setup, even though some network administrators completely block ICMP. People mainly block ICMP completely because of unwarranted actions such as network discovery attacks, covert communication channels, <a href="https://en.wikipedia.org/wiki/Ping_sweep">ping sweep</a>, <a href="https://en.wikipedia.org/wiki/Ping_flood">ping flood</a>, <a href="https://en.wikipedia.org/wiki/ICMP_tunnel">ICMP tunneling</a> and <a href="https://en.wikipedia.org/wiki/ICMP_Redirect_Message#Redirect">ICMP redirecting</a>. However, ICMP is much more than answering pings. If we block ICMP completely, diagnostics, reliability, and network performance may suffer as a result because important mechanisms are disabled when the ICMP protocol is restricted.</p> | ||||
<p>Some of the reaons why ICMP shouldn't be blocked:</p> | ||||
<ul> | ||||
<li>Path MTU discovery (PMTUD) is used to determine the maximum transmission unit size on network devices that connects the source and destination to avoid IP fragmentation. ICMP type 3, code 4, and max packet size are returned when a packet exceeds the MTU size of a network device on the connected path. When these ICMP messages are blocked, the destination system continuously requests undelivered packets and the source system continues to resend them infinitely but to no avail. The behaviour can result in an ICMP <a href="https://en.wikipedia.org/wiki/Black_hole_%28networking%29">black hole</a>.</li> | ||||
<li>Path MTU discovery (PMTUD) is used to determine the maximum transmission unit size on network devices that connects the source and destination to avoid IP fragmentation. TCP depends on ICMP packets of type 3 code 4 for "Path MTU Discovery". ICMP type 3, code 4, and max packet size are returned when a packet exceeds the MTU size of a network device on the connected path. When these ICMP messages are blocked, the destination system continuously requests undelivered packets and the source system continues to resend them infinitely but to no avail. The behaviour can result in an ICMP <a href="https://en.wikipedia.org/wiki/Black_hole_%28networking%29">black hole</a> (congested IP connections and broken transmissions).</li> | ||||
<li>Time to live (TTL) defines the lifespan of a data packet. A network with ICMP blocked will not receive type 11, time exceeded, code 0, time exceeded in transit error messages. This means that the source host will not be notified to increase the lifespan of the data to successfully reach the destination, if the datagram fails to reach the destination.</li> | ||||
<li>Poor performance because of blocking ICMP redirect. ICMP redirect is used by a router to inform a host of a direct path from the source host to a destination host. This reduces the amount of hops data has to travel through to reach the destination. With ICMP blocked, the host will not be aware of the most optimal route to the destination.</li> | ||||
</ul> | ||||
| | | |||
Loading…
Add table
Add a link
Reference in a new issue