All,
Thank you for your feedback and request. By default, our practice is to
disable these functions until there is a justified need/request. We
have enabled ICMP echo, ICMP traceroute, and UDP traceroute.
Once again, we encourage and look forward to your responses and
requests.
The IETF Secretariat.
****************************
>
> -----Original Message-----
> From: Joe Touch [mailto:touch(_at_)ISI(_dot_)EDU]
> Sent: Thursday, June 15, 2006 11:56 AM
> To: Iljitsch van Beijnum
> Cc: wgchairs(_at_)ietf(_dot_)org; Mark Andrews; ietf(_at_)ietf(_dot_)org
> Subject: Re: IETF IPv6 platform configuration
>
>
>
> Iljitsch van Beijnum wrote:
> > On 15-jun-2006, at 1:51, Mark Andrews wrote:
> >
> >>
> >>> * Only HTTP, SMTP, FTP, and DNS traffic are permitted
> through an IPv6
> >>> Native firewall (pings, traceroutes etc. are dropped)
> >
> >> Why? Shouldn't we be prompting good firewall practices?
> >
> >> Droping ICMP was a knee jerk reaction to ICMP echo to
> >> directed broadcast addresses. Modern routers can be
> >> configured to drop directed broadcast packets.
> >
> > And all of this doesn't even apply to IPv6, it doesn't even support
> > broadcasts in general or anything resembling directed
> broadcast. ICMP
> > replies are also supposed to be rate limited in IPv6.
>
> IPv4 too. There are other reasons to drop them at firewalls (net
> mapping, protecting other protocols), but I agree we ought to be an
> example of the best the Internet can provide, not the most paranoid.
>
> Joe
>
>
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf