nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: WIndows Updates Fail Via IPv6 - Update!

From: Saku Ytti <saku () ytti fi>
Date: Tue, 5 Mar 2019 16:59:31 +0200
On Tue, Mar 5, 2019 at 4:54 PM <adamv0025 () netconsultings com> wrote:


Let me play a devil's advocate here, the above statement begs a question then, how do you know all that is harmful 
would you test for every possible extension and hw/sw permutation?
So there would be 3 sets (though lines might be blurred) known safe, known harmful and the biggest of them unknown 
unknowns.
Now as an operator of a commercial network (i.e. your customers like it mostly up) wouldn't you do a calculated risk 
evaluation and opt for the known safe -which you know 99% of your customers use and block the rest while pissing off 
the remaining 1%?
I know it sounds awful (like a calculations for vehicle safety recalls), but ...


You don't know. Everything is horribly broken anyhow and if you are
not pwned, the main reason is that you're not attractive target. If
you are being targeted, you will be pwned by zero to modest budget.
Attacker budget leverage to defender is ridiculous. And ICMP won't be
the vector.

Fear is excellent marketing tool, as we can see in politics, works
every time. But I rather fix realised problems, rather than make
unprovable assumptions of actions yielding to net benefit. The
assumption here is, if we just allow ICMP types A, B and C we are
gaining in security, can we substantiate that claim at all? We can
substantiate easily that the proposed ICMP filter breaks real useful
ICMP tooling.



-- 
  ++ytti
Previous By Date Next
Previous By Thread Next

Current thread: