Re: how to block ICMP tunneling?

["Ryan Russell" <Ryan.Russell () sybase com>]

> In message <3988F0001E0BD31192180090274077D0702CC0 () sj-msg01 altera com>, Kyle S
> tarkey writes:
> > I was under the impression that ICMP should be blocked coming from the
> > outside.  I can't think of any reason you would want some one from the
> > outside PINGing, TRACRTing or otherwise Probing your internal network for
> > active hosts.  IMHO you should simply block the entire proctocol from the
> > outside.
>
> If you do, you break Path MTU, which can disrupt communications to many
> sites.

Indeed.  I've really come to dislike ICMP.  It's just too "out of band" for it's
own
good.  Does anyone know if this is being improved in IPV6?  (Not that it will
neccessarily do any good, but I don't know where else one would "fix" it.)
For Path MTU discovery, shouldn't there be an explicit way to get the
exact MTU discovered?  Say... as the SYN packet travels to the server,
have the routers decrement a "client path MTU" field to the smallest
MTU along the way.  Same with the SYN-ACK on the way back
with a "server path MTU".  There would have to be a way for it to change in
the middle, too, for re-routes.

Same for things like port unreachables..  should be part of the connection, no?
Easier to see for TCP vs. UDP.  Something similiar to the OOB data, perhaps?

I've always been uncomfortable that some random IP along the path of
my connection has the "right" to tell me something is "wrong" even
when there is no obvious relationship to that connection.  Screws
up NAT, too. :)

                         Ryan