Should I Block ICMP?
a year ago
- #Troubleshooting
- #Network Security
- #ICMP
- ICMP is often considered a security risk and blocked at firewalls, but not all ICMP traffic should be blocked.
- Ping (Echo Request/Reply) is essential for troubleshooting but can be selectively allowed or blocked based on direction.
- Fragmentation Needed / Packet Too Big ICMP messages are crucial for Path MTU Discovery (PMTUD) to avoid traffic black-holing.
- Traceroute relies on ICMP Time Exceeded messages to map network paths; blocking these makes troubleshooting difficult.
- IPv6 uses ICMP for Neighbour Discovery Protocol (NDP) and SLAAC, which are essential for IPv6 functionality.
- Rate limiting ICMP traffic is recommended to prevent abuse and excessive CPU usage on routers.
- Understanding ICMP's role and selectively allowing necessary messages is key to network security and functionality.