Making your network troubleshooting friendly

Table of Contents
Then, do we let it all through?
The easy way out: The buck stops here
Letting ping through
Helping traceroute
Path MTU discovery

Making your network troubleshooting friendly is a potentially large subject. At most times, the debugging or troubleshooting friendliness of your TCP/IP network depends on how you treat the Internet protocol which was designed specifically with debugging in mind, the Internet Control Message Protocol, or ICMP as it is usually abbreviated.

ICMP is the protocol for sending and receiving control messages between hosts and gateways, mainly to provide feedback to a sender about any unusual or difficult conditions en route to the target host.

There is a lot of ICMP traffic which usually just happens in the background while you are surfing the web, reading mail or transferring files. Routers (you are aware that you are building one, right?) use ICMP to negotiate packet sizes and other transmission parameters in a process often referred to as path MTU discovery.

You may have heard admins referring to ICMP as either 'just evil', or, if their understanding runs a little deeper, 'a necessary evil'. The reason for this attitude is purely historical. The reason can be found a few years back when it was discovered that several operating systems contained code in their networking stack which could make a machine running one of the affected systems crash and fall over, or in some cases just do really strange things, with a sufficiently large ICMP request.

One of the companies which was hit hard by this was Microsoft, and you can find rather a lot of material on the 'ping of death' bug by using your favorite search engine. This all happened in the second half of the 1990s, and all modern operating systems, at least the ones we can read, have thoroughly sanitized their network code since then. At least that's what we are lead to believe.

One of the early workarounds was to simply block either all ICMP traffic or at least ICMP ECHO, which is what ping uses. Now these rule sets have been around for roughly ten years, and the people who put them there are still scared.

Then, do we let it all through?

The obvious question then becomes, if ICMP is such a good and useful thing, should we not let it all through, all the time? The answer is, 'It depends'.

Letting diagnostic traffic pass unconditionally of course makes debugging easier, but it also makes it relatively easy for others to extract information about your network. That means that a rule like

pass inet proto icmp

might not be optimal if you want to cloak the internal workings of your network in a bit of mystery. In all fairness it should also be said that you might find some ICMP traffic quite harmlessly riding piggyback on your keep state rules.