I had an interesting discussion this afternoon at work regarding the pros
and cons of permitting ICMP messages into the classified gateway environment
that we manage.
The necessity came up because something has been changed with the WAN link
between the site where I work and the site in Sydney, and the MTU is now
something more like 1300.
We're faced with the choice of:
- enabling ICMP Destination Unreachable packets through the firewalls
- lowering the MTU on the interfaces of all the servers in the
- stripping the Don't Fragment bit on all the IP datagrams at some point
before they traverse the WAN
If it were up to me, I'd be in favour of complying with RFC 1191 and being
done with it, but one of my co-workers piped up about covert tunnelling over
I have to admit that I hadn't heard about this until today. I had a read of
the Phrack article in question, and it
talks about doing it with ICMP Echo Request and Echo Reply packets, because
these can readily have data added to the payload.
I'm interested in hearing about any exploitation of ICMP Destination
Unreachable packets for such unintended purposes. I've raised this on the SAGE-AU mailing list, and the general
consensus of responses so far is that blocking such ICMP messages is going
to cause all sorts of breakage, and that if you're going to get paranoid
about covert tunnelling over ICMP, you need to start worrying about IP over DNS
and HTTPS proxying and a lot of physical security issues.
I agree completely. I'm all for Path MTU
Discovery working as intended, unless someone can give me a good reason
to the contrary. If I get time over the weekend, I'll have a bit of a play
with Ethereal and something like
sendip on my home LAN.