(Doing my usual reiteration thing) routers _cannot_ generate UNREACH for every host. Routers don't usually generate UNREACH for dead hosts on ethernet/FDDI (should they, anyway?). Routers cannot generate
Yes, it's understood what 'routers usually don't do' :-) Routers don't do a lot of thing they might. Confirming this and pointed out by another, Postal, RFC 793, points out this could be done as well (guess vendors just decided not to do it). IMO, we are seeing one example (of many) why this 'might always be done' independent of the SYN attacks discussion. There are lots of application protocols that could benefit from knowing the destination was UNREACHABLE with an ICMP control packet. Why would you NOT want to know about network errors, for example why shouldn't a non-defaulting router inform the originator that 0.0.0.4 is not routable? Or, why would you not want to be informed that a host is UNREACHABLE? Even during periods of route flap, it should be up to the protocol designer to decide how to set timers and respond to such errors, etc. This is an interesting issue, IMO. Application and protocol programmers would have more information to 'use as they choose' if ICMP UNREACHABLES were actually sent when destinations are unreachable and sent 'as a rule'. This, IMO, is a direct protocol issue, and not a security issue per se. Best Regards, Tim