[routing-wg] request to enable ICMP echo-reply on rpki.ripe.net?
- Previous message (by thread): [routing-wg] request to enable ICMP echo-reply on rpki.ripe.net?
- Next message (by thread): [routing-wg] request to enable ICMP echo-reply on rpki.ripe.net?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Daniel Suchy
danny at danysek.cz
Wed May 5 13:54:57 CEST 2021
Security through obscurity isn't security. Even this approach is popular on some places. I don't thing there isn't valid *security* reason to fully block ICMP echo requests on NCC firewalls. This just makes diagnostics of network/connectivity incidents harder (and more unfriendly). In the fact, requests are processed and ICMP responses are sent by firewalls anyway (admin prohibited / packet filtered). - Daniel On 5/5/21 12:52 PM, Kurt Kayser wrote: > Gert, > > you surely know that every enabled protocol/port is a potential threat. > > .kurt > > > Am 05.05.21 um 12:32 schrieb Gert Doering: >> Hi, >> >> On Wed, May 05, 2021 at 12:30:01PM +0200, Kurt Kayser wrote: >>> I understand your point. But there is really no big effort to check if >>> Port 873 is working: >>> >>> <host>nc -zvw100 rpki.ripe.net 873 >>> Connection to rpki.ripe.net 873 port [tcp/rsync] succeeded! >>> >>> Let's make a security comparison, if this is really a necessary feature? >> So where exactly is the *security* drawback of permitting ICMP echo? >> >> But yes, of course, we can all do tcpping instead - which is much >> more likely to have an adverse effect on the actual service... >> >> Gert Doering >> -- NetMaster >
- Previous message (by thread): [routing-wg] request to enable ICMP echo-reply on rpki.ripe.net?
- Next message (by thread): [routing-wg] request to enable ICMP echo-reply on rpki.ripe.net?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]