An interesting thing happened to us this week that I thought I'd share here. As a general troubleshooting step when working with Orion customers, I commonly remove the data from within the payload portion of ICMP packets that Orion sends. I've seen a lot of situations over the years where this helped. For instance, I've seen firewalls that wouldn't pass packets with content in the payload, I've seen ethernet switches that would drop ICMP packets with an odd byte count (meaning 17 bytes vs. 16), and I've seen situations where when sending a high load of ICMP packets through firewalls, the firewalls could handle a higher packet load if the packet size was decreased.

So, I asked our Orion team to change the default in the next rev of Orion to make the payload empty by default. My role here allows me to make stupid suggestions like this and sometimes people listen. Turns out, I may have been a bit hasty...

Over the last few years firewall vendors have begun placing rules on the firewalls to block ICMP packets with a NULL payload. This is because this is a common signature for several known worms and as far as security vendors are concerned - when in doubt, shut it down...

The RFC does not require that that any data is present within the payload portion of the packet and in doing a quick review of several network management products from different vendors it seems that opinions on this subject are widespread. The only opinions that we really care about here are from our customers, so I'd like to hear your opinion on this...

Also, please note, we're only talking about the "default" here. From within the settings you alter the payload portion of the packet any which way you like.

 

Flame on...
Josh