[routing-wg] request to enable ICMP echo-reply on rpki.ripe.net?

Kurt Kayser <kurt_kayser at gmx.de> writes:

Kurt,

> you surely know that every enabled protocol/port is a potential threat.

<rant>
Yes. Many years ago we had a ping of death implemented in Windows
98(?). And then in some other IP implementations as well.  So ping is
evil!!1!!! Somebody could easily and with little overhead diagnose
problems or just do simple monitoring.

The additional overhead of using TCP is absolutely no problem for a
modern system! Even if more then half of the users setup a check in
their monitoring every minute or so.

Please disable ICMP(v6) everywhere! Nobody needs PMTUD, ping and
diagnostic messages! And disabling ICMPv6 makes IPv6 networks so much
more secure.

And we shouldn't stop there. Everybody who wants to access a service
should have a written contract to do so. Every connection should be
allowed with a packet filter *and* a router ACLs. Also there should be
no direct connection to the service itself. Everything has to go through
a proxy! Because proxies no any protocol better than the service itself.
</rant>

Jens
-- 
----------------------------------------------------------------------------
| Delbrueckstr. 41    | 12051 Berlin, Germany           | +49-151-18721264 |
| http://blog.quux.de | jabber: jenslink at quux.de        | ---------------  | 
----------------------------------------------------------------------------