Updated 4/15/07

ICMP Types and safety:


Necessary messages: (never block)
        3 Destination Unreachable
                (block code 4 and break PATH MTU)
                (other codes are "Nice")

Good Messages: (never harmful)
        11 Time to live Exceeded

Nice messages: (sometimes harmful)
        4 Source Quench
        8/0 Echo Request/Reply
        12 Parameter Problem
        13/14 Timestamp Request/Reply
        15/16 Information Request/Reply
	37/38 Domain Name Request/Reply (RFC1788)
	139/140 Node Information Request/Reply (RFC4620, ICMPv6)


Dangerous (ought to be blocked, unless you know you need it;
                in that case tightly restricted)
        5 Redirect


There was also recently an IOS patch released that exploited type 3 code 4
(fragmentation needed--used in Path MTU Discovery) packets to reduce the
MTU size to nearly nothing.  To do this, one needs the correct port
numbers of a TCP connection, but this isn't all that hard to get in some
cases. I don't recommend blocking type 3 code 4, but the attack can still
be recognized, and the TCP stack can reject unrealisticly small PMTU
sizes.

It might be handy to have a filter that recognizes this PMTU attack and
blocks it dynamically.

BTW, the IOS issue is avoided by having BGP sessions on loopback interfaces 
rather than physical interfaces.