|
|
Joe,
>> Thus, I don't understand how can you take that as a recommendation
for
>> ICMP filtering.
>
> The recommendation is that if you don't trust ICMP, filter it out
> entirely. The recommendation comes with the caveat that if you want to
> be responsive, you need to accept unauthenticated ICMPs since there is
> no way to authenticate them sufficiently. It's a choice that's up to
you
> - but if you don't trust ICMP, the choice is very clear.
My only comment here is that things in our imperfect world
are very rarely black-and-white; they are almost always
shades of gray...
Fred
fred.l.templin@xxxxxxxxxx
_______________________________________________
tcpm mailing list
tcpm@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/tcpm
|
|