A host or network which drops all ICMP indiscriminately is fundamentally broken, and I could make an argument for not allowing it to communicate with other networks at all. If someone is demanding drop-all-ICMP as "security best practice" then you need to find someone who actually understands networks and network security, and possibly challenge your current security advisor(s) for fraud.
-- brandon s allbery kf8nh sine nomine associates [email protected] [email protected] unix, openafs, kerberos, infrastructure, xmonad http://sinenomine.net ________________________________________ From: [email protected] [[email protected]] on behalf of Antony Mayi [[email protected]] Sent: Thursday, February 07, 2013 11:36 To: Andrew Deason; [email protected] Subject: Re: [OpenAFS] Re: mtu problem (...) modern tcp/ip stack is setting Don'tFragment flag by default so oversized packets are always dropped (relevant ICMP should be sent back for PMTU discovery to kick in though which is not happening in my case). _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
