ICMP and its cousin ICMPv6 are fundamental components of IP networks and the Internet. Their most well-known use is the ping command, but there is much more to them than that: they are used to exchange all kinds of control messages between Internet-connected devices. They are also regularly blocked by firewalls, which causes issues that are very hard to diagnose.
ICMP is used exclusively with IPv4, and ICMPv6 only exists on IPv6. You can often get away with blocking ICMP outright and not notice anything amiss. However, if you block ICMPv6 entirely, hosts can’t find out about each other so IPv6 stops working altogether. The two protocols are closely related but ICMPv6 does a lot more than ICMP; it has absorbed functionality from protocols such as ARP and parts of DHCP, hence its more critical role in IPv6 networks.
The protocols are used to notify systems of problems such as a router stating a destination is not reachable. In this case blocking ICMP generally leads to connection attempts appearing to time out rather than quickly getting an error response. This doesn’t sound like a big problem, but hidden in the list of ICMP Type 3 (Destination Unreachable) signals is Code 4 (fragmentation needed and DF set), a message which serves a greater purpose than simply telling the other end to go away.
Path MTU Discovery
IPv4 and IPv6 are usually carried on Ethernet networks that can transmit packets up to 1500 bytes long, but this isn’t always the case. When one end or the other—or any of the routers in between them—can’t send or receive packets that big then one of two things should happen:
- Packets are split into fragments which can fit through the narrower links and re-assembled at the far end. This can require considerable memory and CPU utilisation, so many systems legitimately refuse to do this.
- If the packet is marked Don’t Fragment (DF) a message must be sent back to say it can’t get through. This process is called Path MTU Discovery (PMTUD).
The TCP protocol always sets the Don’t Fragment flag and it depends on Path MTU Discovery to operate correctly.
This is a bit like sending something in the post that won’t fit through the recipient’s letter box: the postman might fold it up and push it through anyway, or if it’s marked DO NOT BEND they might have no option but to send it back.
If PMTUD is disrupted, a connection may work most of the time but things start to act very oddly in the wrong conditions. If packets are small enough they will be passed through, such as the initial connection attempts to a web server. Very small requests will probably also succeed, but if you ask for too much data the connection will simply stall indefinitely. The other end will be constantly resending packets that are too large, but the messages that should say what’s happening are being dropped. This stalling behaviour also usually happens only on either the sending or the receiving end, not both: you may be able to download very large files from a web server that blocks such ICMP messages, but you won’t be able to make large requests to it—or vice versa.
A few years ago a swathe of systems running Microsoft Windows found themselves unable to download security updates from Microsoft; Windows Update would hang and eventually time out. It transpired that such systems were on Internet links with a reduced MTU, which was common with various types of consumer Internet connection. Despite these Internet connections being correctly configured and sending the appropriate messages back to Microsoft, Microsoft’s firewalls were configured to block them. Microsoft have since fixed their firewalls and additional workarounds are routinely applied on routers that cater to this specific situation (MSS Clamping), but it’s a good illustration of the unintended consequences of being too strict with a firewall in non-obvious ways.
The venerable ping is a very simple tool: systems will send a message asking the remote end to echo the same message back to them. This is invaluable in working out what might be going wrong somewhere in a network or at various points between networks. Ping has historically had a bad reputation due to the Ping of Death bugs prevalent in early operating systems, but these have now been eradicated.
It’s very common practice to block ping messages in firewalls, but if any public service is offered through a network then this can be abused in ways much more serious than ping can. Most of the top Internet destinations accept pings, including Google, YouTube, Facebook, Wikipedia, Yahoo and Amazon. If you are running a web server, it’s generally more helpful to users to permit pings than it is to block them because it can be used to quickly diagnose simple connectivity issues.
Next time you are working on a firewall, please don’t forget about ICMP and ICMPv6, and consider carefully what portions of those protocols are safe to block and which might have unintended side effects.