[olug] VNC w/Qwest

Kevin sharpestmarble at gmail.com
Tue Oct 16 02:26:53 UTC 2007


On 10/15/07, Luke -Jr <luke at dashjr.org> wrote:
> On Monday 15 October 2007, Christopher Cashell wrote:
> > On 10/15/07, Luke -Jr <luke at dashjr.org> wrote:
> > > ICMP is a network infrastructure protocol. Networking standards assume it
> > > is always in place. For example, DHCP uses pings to determine if an
> > > address is in use. IP autoconfiguration generally will not work at all
> > > without ICMP. Even if you do not need these standards, disabling ICMP is
> > > still broken.
> >
> > DHCP and IP autoconfiguration are local network technologies, and not
> > intended to be used across disparate networks or the Internet.
>
> Well, I know of at least one case where blocking ICMP somehow prevented any
> internet access from working. Once ICMP was allowed, everything worked fine.
>
> > Like it or not, blocking ICMP at a border firewall is a valid technique for
> > increasing security,
>
> I don't see how it is has any legitimate purpose.

If you don't see the computer at that IP, you're not going to attack
it, are you?

> > and in this day of NAT and connection sharing/pooling, it's very often
> > impossible to fully support Internet responding ICMP for all hosts on a
> > network.
>
> The day of NAT is gone. In this day of 128-bit addressing, every device should
> have a globally routable address and properly respond to ICMP.

Should. However, it's very much alive. I just left one job that used
NAT - both internally and in their clients - and went to work for
another job that used NAT - both internally and in their clients. I go
to home to a collection of NAT'd systems, since I don't want to pay my
ISP for a second(or third, or fourth, or more) IP address.

I don't see any systems that have a v6 IP address; they all have v4.
Until the mass switchover to IPv6 occurs, NAT will live. And maybe
even then, for the security. If the router doesn't know where to send
your attack packet, it can't send it. Your NAT'd system is doubly
safe; you have to hack the router before you can even begin to hack
the end computer.



More information about the OLUG mailing list