OIT filters broadcast and multicast ICMP Echo Request fraffic on the wireless networks operated by OIT. We do so because such traffic can degrade network service in some situations, and there is no legitimate need for devices to send such traffic on the campus network.
ICMPv4 and ICMPv6 (Internet Control Message Protocol) are among IP's core protocols. They play a crucial role in the operation of IP.
ICMP Echo Requests are messages that essentially ask a target IP address "are you there?" The target (if present) may respond with an ICMP Echo Response.
The ubiquitous ping program operates by sending an ICMP Echo Request to the specified target. (A different version of ping uses UDP packets, however, the standard version of ping uses ICMP Echo Requests.)
A wide variety of other protocols and applications make use of ICMP Echo Requests.
Some application writers have apparently designed their applications to use broadcast or multicast ICMP Echo Requests to discover all devices on the same IP subnet as the device running the application.
Such applications send an ICMP Echo Request packet to an IP broadcast or IP multicast address. (Some may do so each time the application is started; others may do so periodically as long as the application is running.) This is not a good design for applications run on a large network. Because the ICMP Echo Request was sent as a broadcast or multicast (instead of a unicast as is typical), the ICMP Echo Request packet must be flooded to all devices on the IP subnet. All devices on the IP subnet willing to respond (this is nearly all devices) must then transmit an ICMP Echo Response; this leads to many unicast packets simultaneously converging on a single point in the network. More importantly, many of the IPv4 devices which respond must first broadcast an IPv4 ARP Request for the requester's IPv4 address. Each of the IPv4 ARP Request packets must be flooded to the entire IP subnet, consuming network bandwidth and requiring processing by all devices on the subnet. This degrades network service.
Our experience is that sometimes the behavior is even worse, as the poorly-behaved application may proceed to broadcast IPv4 ARP Request packets for the IPv4 addresses of all the devices which responded to the ICMP Echo Request packet.
Less often, sometimes individuals running a ping program choose to specify an IP broadcast address to the program, to see what happens.
In rare situations, someone might try sending an ICMP Echo Request packet to a broadcast address in an attempt to troubleshoot a network problem.
The effect of this traffic (in particular the flood or ARP Request packets that follow a broadcast/multicast ICMP Echo Request) degrades network service. This is especially true on wireless networks.
Broadcast and multicast ICMP Echo Request packets are not necessary for the proper operation of the campus network. Because they are not necessary, and their use degrades network service, OIT filters such traffic where possible.
OIT began filtering broadcast and multicast ICMP Echo Request traffic in December 2010.
ICMP Echo Request packets are discarded by the filter if the traffic is destined to the IPv4 limited broadcast address, or to the IPv4 all-nodes multicast address.
The traffic is filtered at the campus network's core Ethernet switches; all buildings (or groups of buildings) are attached to these core switches. It's presently installed in such a way as to apply only to those networks supporting wireless services provided by OIT. This causes the filter to apply to traffic (for our wireless networks) as that traffic passes through the campus core on its way from one leg of the network to another. (In some cases, multiple buildings share a single connection to the campus core, so this filter doesn't affect traffic which remains within that group of buildings.)
The filter is not applied at the edge of the wireless services provided by OIT (at the wireless access points), as not all of the wireless access points used by OIT at this time can perform this filtering. As a result, the traffic is not entirely blocked; when the traffic is transmitted by one wireless clients, it still reaches other wireless clients within some portion of the network (up until the point where the traffic would need to cross the network core).
It is possible that in the future, the filter installed at the network core might be expanded to also include the wired (non-wireless) networks.
We do not filter unicast ICMP Echo Request traffic; such traffic plays a critical role in IP.