Greetings, I reviewed this probably later then I should have after volunteering to do so.
The mechanism proposed in draft-gont-opsec-icmp-ingress-filtering is akin to a strict mode RPF check for the IP Destination header contained in an ICMP error message though in practical terms a device such as a firewall without recourse to a routing table would probably employ an access list for enforcement. While similar to other antispoofing measures one can employ to prevent spoofed traffic with internal source addresses from ingressing a network it may be technically infeasible to implement in the same mediation devices e.g. routers or switches, a problem we also noted with icmp6 payload inspection in RFC 7690 section 4. I'm sympathic generally to this draft, section 5 implementation details could be rewriten more cleanly to suggest how it is implemented. e.g. IF embedded packet's Destination Address is from within my network THEN forward as appropriate The destination match is due to a learned route (which assumes some minimal level of path or routing symmetry which firewalls tend to require anyway); or an access list. Thanks joel
signature.asc
Description: OpenPGP digital signature
_______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
