View Single Post
  #7   (View Single Post)  
Old 8th December 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
Join Date: May 2008
Location: USA
Posts: 6,911

For clarity, allow me to quote a little bit from Networking for Systems Administrators:
ICMP handles low-level connectivity messages between hosts. Every host that implements IP must also support ICMP. While ping requests are the most commonly known type of ICMP traffic, many core Internet functions rely on ICMP. If a datalink-layer message (a frame) is too large, the complaint passes over ICMP. ICMP is where hosts respond to ping requests and tell traffic to go around the other way. Unilaterally blocking all ICMP is a good way to break applications.* Most of the time, ICMP runs silently in the background
Reducing MTU size below the standard can even break web browsing, especially if ICMP is also blocked. (ICMP is used to exchange MTU errors along a connection path.)
Some multi-tier networks have multiple routers in certain broadcast domains. Normally the main router sends an ICMP redirect message when the client tries to reach a host behind a secondary router, telling the client to go to the secondary router for that host....Sometimes ICMP redirects don’t work and you must configure static routes on your hosts. This is often because the network administrator has filtered ICMP redirects in compliance with the “all ICMP is dangerous and must be stopped” myth.
And of course, from the top footnote:
* Yes, some network administrators unconditionally block all ICMP from entering or leaving their network. They are almost always wrong.
Reply With Quote