[routing-wg] request to enable ICMP echo-reply on rpki.ripe.net?

Security through obscurity isn't security. Even this approach is popular 
on some places.

I don't thing there isn't valid *security* reason to fully block ICMP 
echo requests on NCC firewalls. This just makes diagnostics of 
network/connectivity incidents harder (and more unfriendly). In the 
fact, requests are processed and ICMP responses are sent by firewalls 
anyway (admin prohibited / packet filtered).

- Daniel

On 5/5/21 12:52 PM, Kurt Kayser wrote:
> Gert,
> 
> you surely know that every enabled protocol/port is a potential threat.
> 
> .kurt
> 
> 
> Am 05.05.21 um 12:32 schrieb Gert Doering:
>> Hi,
>>
>> On Wed, May 05, 2021 at 12:30:01PM +0200, Kurt Kayser wrote:
>>> I understand your point. But there is really no big effort to check if
>>> Port 873 is working:
>>>
>>> <host>nc -zvw100 rpki.ripe.net 873
>>> Connection to rpki.ripe.net 873 port [tcp/rsync] succeeded!
>>>
>>> Let's make a security comparison, if this is really a necessary feature?
>> So where exactly is the *security* drawback of permitting ICMP echo?
>>
>> But yes, of course, we can all do tcpping instead - which is much
>> more likely to have an adverse effect on the actual service...
>>
>> Gert Doering
>>          -- NetMaster
>