> From: Saku Ytti <[email protected]> > Sent: Tuesday, March 5, 2019 3:00 PM > > On Tue, Mar 5, 2019 at 4:54 PM <[email protected]> wrote: > > > Let me play a devil's advocate here, the above statement begs a question > then, how do you know all that is harmful would you test for every possible > extension and hw/sw permutation? > > So there would be 3 sets (though lines might be blurred) known safe, > known harmful and the biggest of them unknown unknowns. > > Now as an operator of a commercial network (i.e. your customers like it > mostly up) wouldn't you do a calculated risk evaluation and opt for the > known safe -which you know 99% of your customers use and block the rest > while pissing off the remaining 1%? > > I know it sounds awful (like a calculations for vehicle safety recalls), > > but ... > > > Fear is excellent marketing tool, as we can see in politics, works every time. > But I rather fix realised problems, rather than make unprovable assumptions > of actions yielding to net benefit. The assumption here is, if we just allow > ICMP types A, B and C we are gaining in security, can we substantiate that > claim at all? We can substantiate easily that the proposed ICMP filter breaks > real useful ICMP tooling. > > >From past experience my assumptions would be more along the lines of if it's >not mainstream there's a higher likelihood that it might trigger exceptions in >code.
adam
