Determining Reachability

PING is built upon the Internet Control Message Protocol (ICMP) and uses a system of echo and echo-reply messages to indicate whether a host is reachable. When a source host attempts to determine whether a destination host is reachable, it generates an ICMP echo packet for the destination host. When the destination host receives the echo packet, it responds with an echo-reply packet, allowing the source host to ascertain that the destination is reachable. If for some reason the destination host does not respond, the assumption is that it is unreachable. It is important to note that this is an assumption, because there are any number of reasons a host might not respond to an echo packet even though it is actually up and accessible. Therefore, it is important to understand that the failure to receive a response to an echo message does not necessarily provide any information regarding what, if anything, might be wrong. It simply means that the source host did not receive a response to the echo message.

In the event that a host fails to respond to an echo request, two common messages may be generated. The first is a "request timed out" response. This typically indicates that the destination network was able to be reached but that the destination host did not respond (which indicates a problem with the destination host itself). The other response is "destination network unreachable." This message indicates that the destination network was unable to be located and typically indicates a problem with the network interconnectivity or a routing problem, not necessarily a problem with the destination host.

As mentioned in Chapter 3, "TCP/IP for Firewalls," because of the nature of ICMP traffic, it is a best practice to restrict ICMP through the firewall to prevent ICMP-based attacks from being directed against hosts protected by the firewall. The obvious side effect is that if ICMP is blocked, PING cannot be used through the firewall to troubleshoot potential network problems. A commonly implemented workaround for this is to allow certain types of ICMP traffic through the firewall. These workarounds include allowing echo-reply, time-exceeded, and unreachable messages from untrusted hosts, while allowing echo messages to untrusted hosts. This allows you to ping external hosts and provides a means for the firewall to allow the three common echo message responses to return. This can be done on the Cisco Secure PIX Firewall by applying the commands in Example A-1 as a component of an access list.

Was this article helpful?

0 0
Basic SEO Explained

Basic SEO Explained

Struggling to Optimize Your Site for the Search Engines? Uncover What You Need to Know to Perform Basic SEO on Your Site, and Help Get it Listed in the Powerful Search Engines. Are YOU Ready to Climb Your Way Up The Search Engine Rankings and Start Getting the FREE Traffic You're Looking For? Hundreds of places claim they can give you top rankings, but wouldn't you rather just learn how to do it on your own so you can repeat the process on any future site you build?

Get My Free Ebook

Post a comment