Re: Problem of blocking ICMP packets

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 7-mei-04, at 21:51, Christian Huitema wrote:

The old assumption used to be that if a host has an IP address, it can
receive pretty much any packet sent to that address. The practical
situation we have today is that if two hosts communicate over a given
protocol and port, they can receive packets from the same "five tuple"
but are not guaranteed to receive other packets. This has an important
consequence for many IETF designed protocols, including indeed path MTU
discovery.

So you are saying that when a host sends out an IP packet with the DF bit set, it's ok for that host (or any system on the path to that host) to filter out ICMP "fragmentation needed but DF bit set" messages?


Filtering on protocol/port numbers is a broken concept. When are we going to take the time to come up with a *real* security architecture? One that allows hosts to receive wanted packets and reject unwanted ones, rather than the current one where any correlation to whether a packet is wanted and whether it's rejected seems coincidental at best? One that at least entertains the possibility of doing something about denial of service attacks? And, last but not least, one that allows reasonable protocols, carrying desired communication, to function without undue breakage?


_______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]