[...] >> but, do we then also push the Internet
>> further away from an open end to end capable Internet, stifle >> innovation in transport etc? > > This cat is out of the bug (and has been out of the bag for.. what? 20 > years?). Firewalls block unknown traffic. > > And from a netadmin pov, you usually want your network to do what's > required to do, and not more than that -- that's what "default deny" is > about. > > You don't really want an attacker to hack your network using something > for which there wasn't a legitimate use case (legitimate == such traffic > was needed by the task to be performed, and this was known as such to > the admin). it is far from that clear cut. it depends on where in the network you are. in my home at least my hosts are a lot better at dropping unwanted traffic than my CPE is. I would be interested in an analysis of where and how header parsing is used. ISP: ECMP, DOS Enterprise border: Default drop anything I don't understand (firewall), including reassembly of fragments Data centre border: Only allow legitimate applications? I don't think there is much the IETF can do with the protocols it designs that will help in the case where someone operates a "throw anything I don't understand away" policy. cheers, Ole -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
