Iljitsch van Beijnum wrote: > On 15-jun-2006, at 1:51, Mark Andrews wrote: > >> >>> * Only HTTP, SMTP, FTP, and DNS traffic are permitted through an IPv6 >>> Native firewall (pings, traceroutes etc. are dropped) > >> Why? Shouldn't we be prompting good firewall practices? > >> Droping ICMP was a knee jerk reaction to ICMP echo to >> directed broadcast addresses. Modern routers can be >> configured to drop directed broadcast packets. > > And all of this doesn't even apply to IPv6, it doesn't even support > broadcasts in general or anything resembling directed broadcast. ICMP > replies are also supposed to be rate limited in IPv6. IPv4 too. There are other reasons to drop them at firewalls (net mapping, protecting other protocols), but I agree we ought to be an example of the best the Internet can provide, not the most paranoid. Joe
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf