>> Thus, I don't understand how can you take that as a recommendation
>> ICMP filtering.
> The recommendation is that if you don't trust ICMP, filter it out
> entirely. The recommendation comes with the caveat that if you want to
> be responsive, you need to accept unauthenticated ICMPs since there is
> no way to authenticate them sufficiently. It's a choice that's up to
> - but if you don't trust ICMP, the choice is very clear.
My only comment here is that things in our imperfect world
are very rarely black-and-white; they are almost always
shades of gray...
tcpm mailing list