Hi Scott:
>> As a rule of thumb, when people ask me for assistance regarding troubles reaching a computer and I can't ping it, I tell them that it can't be pinged, and they have to take care of it from there. If you disable a vital networking tool, you need to accept the consequences. <<
That's fine - IF I asked Computerized Horizon to diagnose connectivity to my network, I would support that position. But, since we are NOT talking about that, I really don't see how your comment could remotely apply to the issue at hand.
The ONLY entity who has any reason to "diagnose" my connectivity are my backbone providers - and anyone can ping up to and even across my border routers to the internal interfaces. There is no point, even for THEM, to ping INSIDE my network, because my local Ethernets and its wiring are MY responsibility - not theirs. (The only exception might be if they were managing my border routers for me.)
You've never had to request additional IP blocks from an upstream provider have you?? ;) They will rarely grant you the additional blocks if they can't verify that you are efficiently using the blocks that you have. They do this verification with an echo request... But of course, you can open your firewall to only allow them in!!
Anyone who successfully ping across my router has done all the diagnostics they need to do. I can handle it from there. If anyone wants to ping inside my network, they'll have to come to my office and then they are more than happy to send ICMP commands all over my Ethernets.
I suggest people become familiar with the very long list of various ICMP exploits and DOS attacks, before suggesting that it should be "wide open". I
Maybe I'm way off base here, but I was (possibly wrongly) under the assumption that the majority of ICMP vulns/sploits were pretty old. If there have been some recent vulns/sploits, I'd love to read more about them. And remember a DDoS or DoS is just as easy to launch against a TCP/UDP port as it is against ICMP.
Thanks,
Russ
--- [This E-mail scanned for viruses by Declude Virus]
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
