Re: [tlug] Ping vs www server

["Josh Glover" <jmglov@example.com>]

On 19/04/2008, Stephen J. Turnbull <stephen@example.com> wrote:

> Josh Glover writes:
>
>   > 2. Public servers should drop echo message types (0, IIRC) on the
>   > floor while dealing with the rest of ICMP
>
> I don't get this.  Public servers can be pinged via TCP on at least
>  one port by definition.  "Echo" is a tiny part of the stack, and it's
>  way low (technically, ICMP is encapsulated in IP same as UDP or TCP,
>  but considered to be part of IP rather than a higher level, see RFC
>  1122).  If you don't trust this part of your stack, what can you
>  trust?

Again, I'm operating on the basic principle of security that says turn
off *everything* you don't need.

And I'm still not entirely convinced by your standards compliance
argument; lots of network hardware no longer uses ICMP for flow
control and routing, so new standards have and will emerge that are a
little more robust that ICMP has proven.

I mean, we basically need a new Internet, one built on protocols and
standards with security baked in from the beginning rather than
slathered on top.

I may be wrong in my stance; but my call is to protect my network at
any cost. Call me a bad citizen, but good fences make good neighbours,
or some such.

-- 
Cheers,
Josh