Is it necessary to allow ICMP for OpenZiti? (PMTUD)

Ziti Overlay
1

Hey everyone,

First, thanks for creating OpenZiti! It is crazy amazing!

I’m currently reviewing my firewall rules for a setup involving pfSense, Proxmox, and OpenZiti. My default thought would be to not allow ICMP on my firewall, but I've been reading up on MTU issues and wanted to get a sanity check from the community on whether I really need to open specific ICMP types for the Ziti controller and routers

From my research, the recommendation is to allow ICMP Types 3, 4, and 8. e.g:

  • Type 8 (Echo Request): Purely for diagnostics. I believe its not necessary.
  • Type 4 (Source Quench): Looks like this was deprecated by the IETF in 2012 (RFC 6633). I'm planning to ignore this completely.
  • Type 3 (Destination Unreachable / Fragmentation Needed): This is the one I’m not sure about.

If a router drops that packet because it's too big and I have Type 3 blocked, the sender never gets the information where data never arrives.

My Question is: Do i even need to open/create rules to allow the ICMP port traffic? Or is that encapsulated in Ziti already?

Thanks!!

2

Anyone with an idea? :smiling_face_with_tear:

3

Hi @golden-monkey, welcome to the community and to OpenZiti!

:heart: thanks! We always appreciate it when people are enjoying OpenZiti (and zrok and other projects).

I don't know of any specific rules to allow ICMP but I'm not on that particular team and I'm not a network engineer. However, I know this is a NetFoundry-provided controller:

Pinging 9a062ac6-0bf5-489e-9b90-726195c84a8d.production.netfoundry.io [98.80.165.134] with 32 bytes of data:
Request timed out.
Request timed out.

You can see WE don't allow ICMP ping :slight_smile: I also checked a router, we don't allow pings to routers either. So it's safe to say if the company that supports and runs OpenZiti as a service (NetFoundry) doesn't allow ICMP, it's not necessary. :slight_smile: I tried to use GPT to show me how to generate a Type4 or Type3 message type but I don't know how successful I was. You can probe them if you like :wink:

OpenZiti does not encapsulate ICMP. OpenZiti operates exclusively on IP, no other layer 3 protocol is handled at this time.

4

Thank you so much for the answer!

That is very reassuring to hear :smiley: I personally do not think that this would cause any major problem. Once i run the network on some huge files i will check an report back if there was any issues. But so far, not allowing the ICMP did not do any difference for us!