nanog mailing list archives

Previous By Date Next
Previous By Thread Next

RE: WIndows Updates Fail Via IPv6 - Update!

From: <adamv0025 () netconsultings com>
Date: Tue, 5 Mar 2019 14:54:34 -0000
From: NANOG <nanog-bounces () nanog org> On Behalf Of Saku Ytti

Hey Rich,


I've pointed folks at this for years:
        ICMP Packet Filtering v1.2
        http://www.cymru.com/Documents/icmp-messages.html



To me, the correct pattern is here is to deny things you know to be harmful
and can justify it reasonably and test that justification over time for its
validity.


Let me play a devil's advocate here, the above statement begs a question then, how do you know all that is harmful 
would you test for every possible extension and hw/sw permutation?
So there would be 3 sets (though lines might be blurred) known safe, known harmful and the biggest of them unknown 
unknowns. 
Now as an operator of a commercial network (i.e. your customers like it mostly up) wouldn't you do a calculated risk 
evaluation and opt for the known safe -which you know 99% of your customers use and block the rest while pissing off 
the remaining 1%? 
I know it sounds awful (like a calculations for vehicle safety recalls), but ...
 

adam
Previous By Date Next
Previous By Thread Next

Current thread: