Hey Rich,
I've pointed folks at this for years: ICMP Packet Filtering v1.2 http://www.cymru.com/Documents/icmp-messages.html
To me this seems anti-pattern. It seems it was written on basis of 'what we know we allow, what we don't know we deny'. With assumption that ICMP dangerous. Similarly we break IP extensibility by not allowing IP protocols we don't know about. There are many, hopefully obvious reasons that just because we don't know about it, doesn't mean it's dangerous. One more obvious is, that it may not exist yet. To me, the correct pattern is here is to deny things you know to be harmful and can justify it reasonably and test that justification over time for its validity. One particular example springs to mind, ICMP Timestamp, this allows you to measure unidirectional latency to millisecond precision, unless we specifically break it. It's been useful troubleshooting tool to me in the past, saving time and money. -- ++ytti