Re: [v6ops] ICMP rate-limiting in draft-ietf-v6ops-ipv6rtr-reqs-00
Simon Hobson <linux@thehobsons.co.uk> Mon, 31 July 2017 10:31 UTC
Return-Path: <linux@thehobsons.co.uk>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A80B41320A2 for <v6ops@ietfa.amsl.com>; Mon, 31 Jul 2017 03:31:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.435
X-Spam-Level: *
X-Spam-Status: No, score=1.435 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_PBL=3.335, RP_MATCHES_RCVD=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QnU2DRdoOk6h for <v6ops@ietfa.amsl.com>; Mon, 31 Jul 2017 03:31:18 -0700 (PDT)
Received: from patsy.thehobsons.co.uk (patsy.thehobsons.co.uk [80.229.10.150]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 53B8B127077 for <v6ops@ietf.org>; Mon, 31 Jul 2017 03:31:18 -0700 (PDT)
X-Virus-Scanned: Debian amavisd-new at patsy.thehobsons.co.uk
Received: from [192.168.137.111] (unknown [192.168.137.111]) by patsy.thehobsons.co.uk (Postfix) with ESMTPSA id 629411BC37 for <v6ops@ietf.org>; Mon, 31 Jul 2017 10:31:12 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\))
From: Simon Hobson <linux@thehobsons.co.uk>
In-Reply-To: <539ae305-841b-8020-e509-62135de04b4b@akamai.com>
Date: Mon, 31 Jul 2017 11:31:11 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <D31F6BE0-C396-41A2-931B-FD0AC0428C9E@thehobsons.co.uk>
References: <539ae305-841b-8020-e509-62135de04b4b@akamai.com>
To: IPv6 Ops WG <v6ops@ietf.org>
X-Mailer: Apple Mail (2.1510)
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/eGL4hGxhpW0_MOw7g2Zg54jzp4s>
Subject: Re: [v6ops] ICMP rate-limiting in draft-ietf-v6ops-ipv6rtr-reqs-00
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Jul 2017 10:31:20 -0000
"Alvarez, Pablo" <palvarez@akamai.com> wrote: > Finally, I have a concern about the second bullet in paragraph 5.4. The current draft states: > > o SHOULD filter ICMP echo and echo response by default, to prevent > the discovery of reachable hosts and topology. > > > This recommendation is quite strong, and is presented without further discussion or justification. I am interested in the justification for this, and its value as compared to the cost to researchers, CDNs, network operators and others who benefit from being able to better understand network topology (and who can provide better service to end users with that understanding). In fact, paragraph 4.2 of the current draft emphasizes the importance of being able to visualize and understand network topology. It does seem odd, and it's been a bugbear of mine (with my work hat on) that basic troubleshooting should be so hampered by people who think that filtering ICMP Echo endows some sort of security. I liken it to someone removing the house number from the front of the house as though not having it visible somehow protects from burglars.
- [v6ops] ICMP rate-limiting in draft-ietf-v6ops-ip… Alvarez, Pablo
- Re: [v6ops] ICMP rate-limiting in draft-ietf-v6op… Simon Hobson
- Re: [v6ops] ICMP rate-limiting in draft-ietf-v6op… Russ White
- Re: [v6ops] ICMP rate-limiting in draft-ietf-v6op… Alvarez, Pablo