ICMP on Border Router

Snydersh1_2 · ‎10-19-2006

I have been doing some research on ICMP on border routers. From what I have read, common practice is to disable ICMP on the serial interface. How many trouble shooting problems does this present? Can I turn off ICMP timestamps on the serial int? Any help would be great, thanks.

~Shannon

Richard Burts · ‎10-19-2006

Shannon

I would not agree that it is common practice to disable ICMP on border routers. I know that some people do this in the name of security but I do not think that it qualifies as common practice. For one thing doing this breaks Path MTU Discovery and may create problems as users in your network attempt to access some Internet resources. It may also create some issues if people outside of your network are enabled to access resources within your network.

In addition to issues with PMTUD turning off ICMP will deny you the ability to ping or traceroute as part of troubleshooting access issues from within your network to destinations outside your network. There are several ICMP messages which provide really useful information (things like Time Exceeded, Host Unreachable, or Network Unreachable come to mind).

You can decide whether you want to allow things like can someone outside ping into your network. And if you decide that you do not want to allow that you can deny that specific ICMP. But I believe that you lose more than you gain if you just deny all ICMP.

HTH

Rick

HTH

Rick

Snydersh1_2 · ‎10-19-2006

Rick,

Thank you very much for the reply. I am against disabling ICMP for the same reasons you specified. For those ICMP reply, messages, such as Time Exceeded, etc.; Cant those provide info as far as whether or not the service is provided using programs like nMap?