[ipv6hackers] Operational ICMPv6 Filtering
daniel.bartram at bt.com
daniel.bartram at bt.com
Thu May 31 15:52:51 CEST 2012
Granted, but hackers don't work within what the RFC's say, or on the converse can work within exactly what they say to find vulnerabilities. If I don't know or need what type 4 does then I will block it until a time where I do need it or I find it did in fact break something. Why leave it open just because something tells you to? I'd expect an even better network engineer to make their own rules.
Dan.
-----Original Message-----
From: ipv6hackers-bounces at lists.si6networks.com [mailto:ipv6hackers-bounces at lists.si6networks.com] On Behalf Of Simon Perreault
Sent: 31 May 2012 14:42
To: ipv6hackers at lists.si6networks.com
Subject: Re: [ipv6hackers] Operational ICMPv6 Filtering
On 2012-05-31 09:30, daniel.bartram at bt.com wrote:
> Thanks Simon. This particular ACL was for a WAN facing link towards an
> ISP infrastructure where a static /127 is used. I wasn't sure, but I
> didn't think blocking type 4 would have any affect at all?
I wouldn't ignore an RFC recommendation without being sure...
The nice thing is that there's an RFC you can point to when people question why such and such ICMP types/codes are open. Following best current practices is what I would expect of a good network engineer.
Simon
--
DTN made easy, lean, and smart --> http://postellation.viagenie.ca
NAT64/DNS64 open-source --> http://ecdysis.viagenie.ca
STUN/TURN server --> http://numb.viagenie.ca
_______________________________________________
Ipv6hackers mailing list
Ipv6hackers at lists.si6networks.com
http://lists.si6networks.com/listinfo/ipv6hackers
More information about the Ipv6hackers
mailing list