nanog mailing list archives
Re: WIndows Updates Fail Via IPv6 - Update!
From: Saku Ytti <saku () ytti fi>
Date: Mon, 4 Mar 2019 10:13:53 +0200
On Mon, Mar 4, 2019 at 10:02 AM Mark Tinka <mark.tinka () seacom mu> wrote:
Can we make a short rule that says: For ICMP, *ALLOW* *ALL* unless you do have a very specific and motivated reason to block some types. I would even go as far as "allow all icmp from any to any" (and if possible as the first firewall rule), but I do understand that may make some people have hives.Not to be the wet blanket, but we've be crying about this since before I knew what CLI meant, and it either didn't work or has gotten even worse. That is how we ended up with all manner of hacks to work around failure to reliably deliver PTB messages.
Not just ICMP but everything. We've designed these nice extendible protocols, but we've configured network so that we can't extend them. Like why is QUIC riding on UDP, instead of having its own L4 protocol number. Because of HTTP/3 majority of Internet traffic will be UDP, and due to its reflection potential in other applications that is not obvious net win. We should just retire UDP with status of 'trusted network only L4' and use something like QUIC for all untrusted L4 applications, where we've thought about issues like reflection. -- ++ytti
Current thread:
- Re: WIndows Updates Fail Via IPv6 - Update!, (continued)
- Re: WIndows Updates Fail Via IPv6 - Update! Mark Tinka (Mar 03)
- Re: WIndows Updates Fail Via IPv6 - Update! Mark Andrews (Mar 03)
- Re: WIndows Updates Fail Via IPv6 - Update! Mark Tinka (Mar 03)
- Re: WIndows Updates Fail Via IPv6 - Update! Stephen Satchell (Mar 03)
- Re: WIndows Updates Fail Via IPv6 - Update! Mark Andrews (Mar 03)
- Re: WIndows Updates Fail Via IPv6 - Update! Fernando Gont (Mar 05)
- Re: WIndows Updates Fail Via IPv6 - Update! Harald Koch (Mar 03)
- Re: WIndows Updates Fail Via IPv6 - Update! Mark Tinka (Mar 03)
- Re: WIndows Updates Fail Via IPv6 - Update! Mark Tinka (Mar 03)
- Re: WIndows Updates Fail Via IPv6 - Update! Radu-Adrian Feurdean (Mar 03)
- Re: WIndows Updates Fail Via IPv6 - Update! Mark Tinka (Mar 04)
- Re: WIndows Updates Fail Via IPv6 - Update! Saku Ytti (Mar 04)
- Re: WIndows Updates Fail Via IPv6 - Update! Rich Kulawiec (Mar 05)
- Re: WIndows Updates Fail Via IPv6 - Update! Saku Ytti (Mar 05)
- RE: WIndows Updates Fail Via IPv6 - Update! adamv0025 (Mar 05)
- Re: WIndows Updates Fail Via IPv6 - Update! Saku Ytti (Mar 05)
- RE: WIndows Updates Fail Via IPv6 - Update! adamv0025 (Mar 07)
- Re: WIndows Updates Fail Via IPv6 - Update! Saku Ytti (Mar 07)
- RE: WIndows Updates Fail Via IPv6 - Update! adamv0025 (Mar 07)
- Re: WIndows Updates Fail Via IPv6 - Update! Saku Ytti (Mar 07)
- Re: WIndows Updates Fail Via IPv6 - Update! Stephen Satchell (Mar 07)
- Re: WIndows Updates Fail Via IPv6 - Update! Saku Ytti (Mar 07)