Iljitsch van Beijnum wrote:
On 15-jun-2006, at 1:51, Mark Andrews wrote:
* Only HTTP, SMTP, FTP, and DNS traffic are permitted through an IPv6
Native firewall (pings, traceroutes etc. are dropped)
Why? Shouldn't we be prompting good firewall practices?
Droping ICMP was a knee jerk reaction to ICMP echo to
directed broadcast addresses. Modern routers can be
configured to drop directed broadcast packets.
And all of this doesn't even apply to IPv6, it doesn't even support
broadcasts in general or anything resembling directed broadcast. ICMP
replies are also supposed to be rate limited in IPv6.
IPv4 too. There are other reasons to drop them at firewalls (net
mapping, protecting other protocols), but I agree we ought to be an
example of the best the Internet can provide, not the most paranoid.
Joe
signature.asc
Description: OpenPGP digital signature
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf