Network Administrators Debate ICMP Blocking Practices

Figure 1: Visual representation of the BeyondTrust vulnerability chain

On May 21, 2025, the shouldiblockicmp.com resource appeared on Hacker News and accumulated 122 points with 96 comments. The discussion revealed that many network administrators continue to implement blanket ICMP blocking despite documented problems this causes.

The website, created by Jason Ashworth, presents a direct answer to its titular question: "No!!" The resource then explains specific ICMP message types and their functions, providing technical context for why each should be permitted through firewalls.

The Hacker News discussion included network engineers sharing experiences with troubleshooting connectivity issues caused by ICMP blocking, particularly problems related to Path MTU Discovery failures that result in connections that establish successfully but fail when transferring larger data payloads.

According to the shouldiblockicmp.com resource, Fragmentation Needed (IPv4 Type 3, Code 4) and Packet Too Big (IPv6 Type 2, Code 0) messages are "VERY important" because they enable Path MTU Discovery (PMTUD). The site explains that blocking these messages causes traffic to be "silently black-holed" when packets exceed the MTU of intermediate links.

The resource references RFC 4821, which defines Packetization Layer Path MTU Discovery (PLPMTUD) as a workaround for networks where ICMP is blocked. However, the site notes this approach is "not as efficient as learning directly what the maximum MTU should be."

For IPv6 networks, the site identifies five ICMP message types essential for Neighbor Discovery Protocol (NDP) and Stateless Address Autoconfiguration (SLAAC): Router Solicitation (Type 133), Router Advertisement (Type 134), Neighbor Solicitation (Type 135), Neighbor Advertisement (Type 136), and Redirect (Type 137).

Figure 2: How the authentication bypass vulnerability works

Permitting essential ICMP traffic enables proper Path MTU Discovery, preventing the "black hole" problem where TCP connections establish but stall during data transfer. Network troubleshooting becomes more effective when ping (Echo Request/Reply) and traceroute (Time Exceeded) messages function correctly.

IPv6 networks require ICMP for basic operation. Unlike IPv4, which uses ARP for address resolution, IPv6 relies on NDP, which operates over ICMPv6. Blocking ICMPv6 on internal networks breaks IPv6 functionality entirely.

Rate limiting ICMP rather than blocking it outright provides security benefits while maintaining protocol functionality. The resource recommends this approach as a balanced solution.

ICMP can be exploited for network reconnaissance. Echo Request messages reveal which hosts are active, and certain ICMP error messages can leak information about network topology. Attackers have historically used ICMP for covert channels and denial-of-service amplification.

Some Hacker News commenters argued that modern operating systems implement PLPMTUD, reducing the dependency on ICMP for MTU discovery. Others noted that certain high-security environments have legitimate reasons to block ICMP at network boundaries.

The resource acknowledges that "a lot of ICMP should be blocked" but argues against blanket blocking. Determining which specific message types to permit requires technical knowledge that not all administrators possess.

Figure 3: Privilege escalation from user to SYSTEM level

ICMP operates at the network layer (Layer 3) of the OSI model, alongside IP. Unlike TCP and UDP, ICMP does not transport application data. Instead, it carries control messages about network conditions.

Path MTU Discovery works by sending packets with the "Don't Fragment" (DF) bit set in IPv4 or relying on the no-fragmentation design of IPv6. When a router encounters a packet too large for the next link, it drops the packet and sends an ICMP Fragmentation Needed or Packet Too Big message back to the source. The source then reduces its packet size and retries.

When firewalls block these ICMP messages, the source never learns that its packets are being dropped. TCP connections appear to hang because the initial small handshake packets succeed, but larger data packets disappear without explanation.

IPv6 Neighbor Discovery Protocol uses ICMPv6 for functions that IPv4 handles through separate protocols. Router Solicitation and Advertisement messages enable hosts to discover routers and obtain network prefixes. Neighbor Solicitation and Advertisement messages provide address resolution, replacing ARP.

Technical context for expert readers: The TCP Maximum Segment Size (MSS) option, negotiated during connection establishment, provides an alternative to PMTUD for some scenarios. However, MSS clamping at network boundaries requires explicit configuration and does not adapt to path changes.

The persistence of ICMP blocking debates reflects broader tensions in network security between defense-in-depth principles and operational requirements. Security guidance from the 1990s and early 2000s often recommended blocking ICMP, and these recommendations persist in some organizational policies despite changed circumstances.

Cloud providers and content delivery networks generally permit essential ICMP traffic, recognizing its importance for performance optimization and troubleshooting. Enterprise networks with legacy security policies may face pressure to update their approaches as IPv6 adoption increases.

The transition to IPv6 makes ICMP handling more critical. Organizations that successfully blocked ICMPv4 with minimal impact may find that the same approach breaks IPv6 connectivity entirely.

Confirmed:

• ICMP Fragmentation Needed and Packet Too Big messages are essential for Path MTU Discovery
• IPv6 NDP requires ICMPv6 for basic network operation
• RFC 4821 defines PLPMTUD as an alternative when ICMP is blocked
• Rate limiting provides a middle ground between blocking and unrestricted ICMP

Unclear:

• Percentage of enterprise networks that still implement blanket ICMP blocking
• Effectiveness of PLPMTUD across different operating systems and network conditions
• Whether security benefits of ICMP blocking outweigh operational costs in specific threat models

IPv6 adoption rates and associated network configuration challenges will continue to surface ICMP-related issues. Organizations deploying IPv6 for the first time may encounter unexpected problems if existing firewall policies block ICMPv6.

Updates to security compliance frameworks and best practice guides regarding ICMP handling bear monitoring. Changes in guidance from organizations like NIST or CIS could influence enterprise firewall policies.

The development of network troubleshooting tools that work around ICMP blocking may reduce pressure to change firewall policies, though this represents a workaround rather than a solution to the underlying configuration issue.