> Any router configured to block ICMP packets is, quite simply, > in violation of RFC792 (STD5), which clearly states "ICMP is actually > an integral part of IP, and must be implemented by every IP module." > For a router, "implemented" means forwarded to the destinations next > hop. > > So the fact is, by blocking ICMP, such ISPs have broken IP connectivity, > and can no longer claim to be providing Internet (IP) service. <yawn> This debate has been going on since before I became a firewall developer back in 1995... Unfortunately, customers are more interested in a "usable" internet than a "correct" one. As long as the bad guys keep abusing ICMP, we security people will keep blocking it. The trick, therefore, is to convince the "block everything" crowd to be selective about ICMP the same way they are selective about (eg) TCP port numbers. It's pretty easy these days to write good firewall rules that allow, for example, Path MTU discovery to work.The "RELATED" state in Linux's iptables rules is a good start... -- Harald Koch chk@xxxxxxxxx _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf