10-19-2006 10:08 AM - edited 03-03-2019 02:24 PM
I have been doing some research on ICMP on border routers. From what I have read, common practice is to disable ICMP on the serial interface. How many trouble shooting problems does this present? Can I turn off ICMP timestamps on the serial int? Any help would be great, thanks.
~Shannon
10-19-2006 11:54 AM
Shannon
I would not agree that it is common practice to disable ICMP on border routers. I know that some people do this in the name of security but I do not think that it qualifies as common practice. For one thing doing this breaks Path MTU Discovery and may create problems as users in your network attempt to access some Internet resources. It may also create some issues if people outside of your network are enabled to access resources within your network.
In addition to issues with PMTUD turning off ICMP will deny you the ability to ping or traceroute as part of troubleshooting access issues from within your network to destinations outside your network. There are several ICMP messages which provide really useful information (things like Time Exceeded, Host Unreachable, or Network Unreachable come to mind).
You can decide whether you want to allow things like can someone outside ping into your network. And if you decide that you do not want to allow that you can deny that specific ICMP. But I believe that you lose more than you gain if you just deny all ICMP.
HTH
Rick
10-19-2006 12:02 PM
Rick,
Thank you very much for the reply. I am against disabling ICMP for the same reasons you specified. For those ICMP reply, messages, such as Time Exceeded, etc.; Cant those provide info as far as whether or not the service is provided using programs like nMap?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide