Kevin Loch wrote:
Sam Hartman wrote:
"secIETF" == IETF Secretariat <ietf-secretariat@xxxxxxxx> writes:
secIETF> * Only HTTP, SMTP, FTP, and DNS traffic are permitted
through an IPv6 secIETF> Native firewall (pings,
traceroutes etc. are dropped)
Please make sure that ICMP messages needed for path MTU discovery are
not filtered.
Is there a compelling reason to filter ICMP at all?
- Kevin
This is not a trivial problem. There is a draft in progress which
recommends what the v6ops wg believes ought to happen.
See
http://www.ietf.org/internet-drafts/draft-ietf-v6ops-icmpv6-filtering-recs-00.txt
This does include making sure Packet Too Big errors are not dropped so
that PMTU works,
This is just about to very slightly updated but it is essentially finished.
It would be good if we ate our own dogfood in this case (and we can also
test whether the draft has the answers right!)
Regards,
Elwyn
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/iet
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf