Two banks are reviewing their policies of blocking all ICMP traffic so access problems with their websites can be solved. However, they want to be sure security is not compromised first.
ASB Bank and the National Bank, along with most of New Zealand's online banks, have a blanket ban on all ICMP (internet control message protocol) traffic to them, which can cause problems with site access for users (see Online banking issues down to "hot-rodding" PC settings).
ASB Bank security specialist Darren Bilby said recently that because the banks filter out unwanted incoming traffic, ICMP messages get rejected.
"It's one of those things where our standard policy is if we don't need it and it's no great issue, let's leave it off," says Bilby.
However, ASB Bank's chief manager for online services, Matthew Bartlett, now says that if there is no impact on the bank's security then making a minor change to the filtering policy to help those customers affected shouldn't be a problem.
National Bank spokeswoman Cynthia Brophy also says the bank will be reviewing its policy - although only if security concerns are met.
"Our bank, like many other organisations, has blocked ICMP. ICMP in particular can be used to generate denial of service attacks ... Our policy is to allow through only what is specifically required."
She says the bank will look at "the granularity of ICMP as long as we can achieve that without reducing security and availability of our online services."
Brophy says only a "very small [percentage] of our customers" have experienced problems relating to ICMP blocking.
Since IDGNet raised the issue last week, a number of network administrators have contacted IDGNet to point out the problems involved with blocking all ICMP traffic. Both the DSL mailing list and the NZ Network Operators Group have been discussing the issue at some length.
Systems administrator at Auckland-based ISP Orcon, Craig Whitmore, says the problem has been known about for some time.
"We can't use GRE [generic routing encapsulation] tunnels for our customers because if we do the users complain they can't see the bank."
GRE protocol tunnels will only accept packets that are smaller than 1476 bytes. Whitmore says the tunnels, used to form basic virtual private networks or VPNs, are a staple of the network industry and having to work without them causes a lot of hassles. He says the banks should change their policy on ICMP as the problem is affecting customers' ability to see bank websites.
"It sends the packets to the bank and because it's going through a GRE tunnel it has to fragment the packets. Coming back the bank is supposed to send an ICMP message saying 'please fragment it' and all the bank does is drop it and it never gets back to the user. You get things like web pages only half loading."
Whitmore says there shouldn't be any security concerns over ICMP.
"Most people think of ping when they think of ICMP, but there's lots of other types of ICMP messages other than ping. I think the security people think 'we don't need ICMP, it's just ping, I'll get rid of it' and they drop all of it."
He welcomes the any decisions by banks to review the policy.
"That would be cool."
WestpacTrust, ANZ and BNZ have yet to return IDGNet calls.