This is a draft guide to handling ICMP securely.
Guide Analysis to Handling ICMP protocol
Summary:
This guide is an attempt to help answer common questions related to the handling of ICMP protocol in a secure and effective manner. Comments and feedback is always welcomed. This article is meant to cover the major area in which there may be questions on how to handle ICMP and what specifically should we allow in each particular condition which will also allow for effective risk mitigation. If you need specifics on ICMP codes with in each ICMP type please refer to the reference URLs below.
Major ICMP Protocol Types:
– 0: Echo Reply
– 3: Destination Unreachable
– 4: Source Quench
– 5: Redirect (change a route)
– 8: Echo Request
– 9: Router Advertisement
– 10: Router Solicitation
– 11: Time Exceeded for a Datagram
– 12: Parameter Problem on a Datagram
– 13: Timestamp Request
– 14: Timestamp Reply
– 17: Address Mask Request
– 18: Address Mask Reply
Areas of Affect:
Perimeter
Outbound: Echo Reply (0), Echo Request (8) (For Troubleshooting)
Deny Type: All except (TTL Exceed (11) & (Type 3, Code 4) From Limited External Testing Devices.
Interior (Corporate Network)
Internal Deny: Should be handled on a case by case basis, however when permissible squelch Redirect (5), Router Advertisement (9), Router Solicitation (10), Timestamp Request (13), Timestamp Reply (14). Address Mask Request (17), and Address Mask Reply (18). The usefulness of the ICMP message types are deprecated by DHCP and NTP.
Internal Allow: Echo Reply (0), Destination Unreachable (3 Code 4), Echo Request (8), Time Exceeded (11)
Remote Access & Site to Site VPN
VPN Allow: Echo Reply (0), Destination Unreachable (3, Code 4), and Echo Request (8).
VPN Deny: Everything Else
Intranet to Intranet / Partner to Partner
Intranet to Intranet Allow: Echo Reply (0), Destination Unreachable (3 Code 4), Echo Request (8), Time Exceeded (11)
Intranet to Intranet Deny: Everything Else
References:
PMTU
http://www.tcpipguide.com/free/t_IPDatagramSizetheMaximumTransmissionUnitMTUandFrag-4.htm
ICMP
http://www.tcpipguide.com/free/t_ICMPv4TimestampRequestandTimestampReplyMessages-3.htm
University of Syracuse ICMP Lecture Notes