On 7-mei-04, at 21:51, Christian Huitema wrote:
The old assumption used to be that if a host has an IP address, it can
receive pretty much any packet sent to that address. The practical
situation we have today is that if two hosts communicate over a given
protocol and port, they can receive packets from the same "five tuple"
but are not guaranteed to receive other packets. This has an important
consequence for many IETF designed protocols, including indeed path MTU
discovery.
So you are saying that when a host sends out an IP packet with the DF
bit set, it's ok for that host (or any system on the path to that host)
to filter out ICMP "fragmentation needed but DF bit set" messages?
Filtering on protocol/port numbers is a broken concept. When are we
going to take the time to come up with a *real* security architecture?
One that allows hosts to receive wanted packets and reject unwanted
ones, rather than the current one where any correlation to whether a
packet is wanted and whether it's rejected seems coincidental at best?
One that at least entertains the possibility of doing something about
denial of service attacks? And, last but not least, one that allows
reasonable protocols, carrying desired communication, to function
without undue breakage?
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf