Solved

Disabling ICMP

Posted on 2014-03-18
4
481 Views
Last Modified: 2014-05-07
Would like to know if disabling ICMP across all devices in network is a worth while exercise
0
Comment
Question by:IT Department
  • 2
4 Comments
 
LVL 18

Accepted Solution

by:
Akinsd earned 500 total points
ID: 39937345
It could be but impact depends on network needs.

You can't disable it perse but can block the traffic.
Be aware that pings, traceroutes etc would not work if ICMP (Internet Control Message Protocol) traffic is block across the network.

See the following from Wikipedia
http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol


Control messages[edit]

Notable control messages[4][5]


Type

Code

Description

0 – Echo Reply[3]:14 0 Echo reply (used to ping)
1 and 2  Reserved
3 – Destination Unreachable[3]:4 0 Destination network unreachable
1 Destination host unreachable
2 Destination protocol unreachable
3 Destination port unreachable
4 Fragmentation required, and DF flag set
5 Source route failed
6 Destination network unknown
7 Destination host unknown
8 Source host isolated
9 Network administratively prohibited
10 Host administratively prohibited
11 Network unreachable for TOS
12 Host unreachable for TOS
13 Communication administratively prohibited
14 Host Precedence Violation
15 Precedence cutoff in effect
4 – Source Quench 0 Source quench (congestion control)
5 – Redirect Message 0 Redirect Datagram for the Network
1 Redirect Datagram for the Host
2 Redirect Datagram for the TOS & network
3 Redirect Datagram for the TOS & host
6  Alternate Host Address
7  Reserved
8 – Echo Request 0 Echo request (used to ping)
9 – Router Advertisement 0 Router Advertisement
10 – Router Solicitation 0 Router discovery/selection/solicitation
11 – Time Exceeded[3]:6 0 TTL expired in transit
1 Fragment reassembly time exceeded
12 – Parameter Problem: Bad IP header 0 Pointer indicates the error
1 Missing a required option
2 Bad length
13 – Timestamp 0 Timestamp
14 – Timestamp Reply 0 Timestamp reply
15 – Information Request 0 Information Request
16 – Information Reply 0 Information Reply
17 – Address Mask Request 0 Address Mask Request
18 – Address Mask Reply 0 Address Mask Reply
19  Reserved for security
20 through 29  Reserved for robustness experiment
30 – Traceroute 0 Information Request
31  Datagram Conversion Error
32  Mobile Host Redirect
33  Where-Are-You (originally meant for IPv6)
34  Here-I-Am (originally meant for IPv6)
35  Mobile Registration Request
36  Mobile Registration Reply
37  Domain Name Request
38  Domain Name Reply
39  SKIP Algorithm Discovery Protocol, Simple Key-Management for Internet Protocol
40  Photuris, Security failures
41  ICMP for experimental mobility protocols such as Seamoby [RFC4065]
42 through 255  Reserved
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 39937392
What would be the purpose of disabling it?
0
 
LVL 18

Expert Comment

by:Akinsd
ID: 39937413
Great question.

It could be but impact depends on network needs.

Means you don't want any of the listed traffic to traverse your network. In as much as this is rarely implemented globally on a network, it is still an option if any engineer wants to pursue that.

Common practice is to block icmp traffic on public interfaces or sensitive devices to prevent replies to untrusted requesters.
0
 
LVL 17

Expert Comment

by:TimotiSt
ID: 39938503
Just blocking all ICMP is becoming a bad practice, as for IPv4 you're just making debugging (and hence hacking) problematic, but IPv6 operation depends on ICMP a great deal.
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
Citrix XenApp, Internet Explorer 11 set to Enterprise Mode and using central hosted sites.xml file.
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question