Why filtering ICMP is problematic

ICMPv6 and ICMP are mandatory for the proper functioning of IP. ICMP (or ICMPv6) is often mistakenly equated with “ping”. By switching off ICMP, it is hoped that this will increase security, as the IP host can no longer be reached via “ping” and thus supposedly becomes invisible.

In reality, however, the accessibility check via “ping” is only one of many ICMP functions. IPv6 uses ICMP as an aid to addressing; both IP protocols use it to determine the optimum packet size for the transmission path.

If the packets required for this are filtered, in the simplest case individual remote stations may no longer be accessible (the loading of websites simply “hangs”) or occasional network problems may occur that are difficult to trace.

Recommendation of the HRZ

Basic protection for problematic or unnecessary ICMP types is set up at the TU firewall.

In general, you should only block ICMP yourself if you want to consciously accept the possible risks. Current operating systems are not jeopardised by ICMP.

If you still want to block ICMP, you will find valuable tips for a sensible configuration under the following links:

https://www.rfc-editor.org/rfc/rfc4890#page-18

https://hepix-ipv6.web.cern.ch/content/examples-rfc4890-compliant-icmp-filter-configuration

https://datatracker.ietf.org/doc/html/draft-ietf-opsec-icmp-filtering-04