skip to content

IT Help and Support

University Information Services
 

RFC 1122, Requirements for Internet Hosts - Communication Layers, requires that every host must implement an ICMP Echo server function that receives Echo Requests and sends corresponding Echo Replies. All devices that are 'actively connected to the CUDN using IP' (see below) should perform this function and those devices must perform this function correctly for ICMP Echo Requests from the following Trusted Subnet:

131.111.12.0/24

Additionally, consideration should be given to allowing access to institutions' internal networks from the Computing Service internal network listed below, from which the initial investigation of network faults is often undertaken. The internal Computing Service subnet from which diagnostic testing may be performed is:

131.111.10.0/23

Notes

The Echo server function is needed to facilitate the friendly probing that is carried out by the Computing Service to identify CUDN- connected devices that are vulnerable to common attacks by hackers.

A device is 'actively connected to the CUDN using IP' if it is in a position to transmit using the IP protocol suite to the network to which it is connected, and thence to the CUDN. Elaborating some specific cases:

  • a device that is powered off is not actively connected at that time;
  • if IP transmissions from a device are prevented from reaching the CUDN, the device is not actively connected to the CUDN using IP; this might be the case if the device is connected to an institutional network that is connected to the CUDN via a firewall that does not forward traffic from the device (in simple terms, the device is not visible from the CUDN through the firewall).
  • if IP transmissions from a device that is connected via a firewall (whether or not the firewall is providing network address translation) reach the CUDN then the ICMP Echo server function must be provided, either by the device or by the firewall on the device's behalf.

However, even if the device is hidden behind a firewall so that the device's IP transmissions do not reach the CUDN, institutions are recommended to allow communication, including the ICMP Echo Requests and Replies, between the device and the Trusted Subnet (above) through the firewall to permit devices behind the firewall to be probed by the Computing Service's 'friendly probes', thereby enhancing the security of the institution's network.