> From: NANOG <[email protected]> On Behalf Of Saku Ytti > > Hey Rich, > > > I've pointed folks at this for years: > > ICMP Packet Filtering v1.2 > > http://www.cymru.com/Documents/icmp-messages.html > > > To me, the correct pattern is here is to deny things you know to be harmful > and can justify it reasonably and test that justification over time for its > validity. > Let me play a devil's advocate here, the above statement begs a question then, how do you know all that is harmful would you test for every possible extension and hw/sw permutation? So there would be 3 sets (though lines might be blurred) known safe, known harmful and the biggest of them unknown unknowns. Now as an operator of a commercial network (i.e. your customers like it mostly up) wouldn't you do a calculated risk evaluation and opt for the known safe -which you know 99% of your customers use and block the rest while pissing off the remaining 1%? I know it sounds awful (like a calculations for vehicle safety recalls), but ...
adam
