On Wed, 24 Jul 2002, Craig Whitmore wrote:
Is blocking _all_ ICMP types the wrong thing to do? (in paticular type 3 (unreacable), subtype 4(needs fragmentation) for PMTU Discovery) and basiclly breaking their website for people who have paths who get fragmented TCP/IP Packets)
The answer is of course in the results of the blocking, and if you read the story again, you'll see that the ASB security specialist says: "It says 'this packet is too big' so it can't send it on but it's not allowed to fragment it either, so it says 'I'll generate an ICMP message'." However, the ICMP message doesn't get sent to the banks because the banks filter ICMP and the message eventually times out. "It's one of those things where our standard policy is if we don't need it and it's no great issue, lets leave it off," says Bilby. Bilby says the issue usually only occurs with larger packets, and that typically happens after the user has logged on and is requesting a larger file, like an account statement. "Often a user can log on to a website that is blocking all ICMP but can't retrieve larger web pages such as a large balance screen or statement listings." I guess it depends on how useful you want to make your Web site. If usefulness isn't a priority, block all ICMP. To further lessen usefulness block TCP as well. ;-) -- Juha Saarinen - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog