[AusNOG] icmp best practise
Mark Andrews
marka at isc.org
Tue Nov 24 09:33:13 EST 2015
In message <CAO42Z2y9Nqk-XxP1N4OAAHu+=oqJiNMY22rZGhKOJTaODZ+WoA at mail.gmail.com>
, Mark Smith writes:
>
> On 23 Nov 2015 6:26 PM, "Jeremy Visser" <jeremy.visser at gmail.com> wrote:
> >
> > On Mon, Nov 23, 2015 at 2:15 PM, David Hughes <david at hughes.com.au> wrote:
> > > Team Cymru could be a good first point of reference.
> > > https://www.cymru.com/Documents/icmp-messages.html
> >
> > Ouch. That page doesn't suggest allowing ICMP "Packet Too Big" which
> > is a recipe for tarpitting TCP should you use IPv6 on a <1500 MTU
> > network and don't hack your TCP MSS.
> >
>
> The better you look, the more you see.
>
> IPv6 version:
>
> "Recommendations for Filtering ICMPv6 Messages in Firewalls"
> https://tools.ietf.org/html/rfc4890
And NIST's recommendations. Australia isn't any different w.r.t.
protecting networks than the rest of the world.
> Toot!
>
> http://www.slideshare.net/mobile/MarkSmith214/wysrrfcsandids
> _______________________________________________
> > AusNOG mailing list
> > AusNOG at lists.ausnog.net
> > http://lists.ausnog.net/mailman/listinfo/ausnog
>
> --001a114786ecb672bc0525311b2b
> Content-Type: text/html; charset=UTF-8
>
> <p dir="ltr"><br>
> On 23 Nov 2015 6:26 PM, "Jeremy Visser" <<a href="mailto:jeremy.
> visser at gmail.com">jeremy.visser at gmail.com</a>> wrote:<br>
> ><br>
> > On Mon, Nov 23, 2015 at 2:15 PM, David Hughes <<a href="mailto:david@
> hughes.com.au">david at hughes.com.au</a>> wrote:<br>
> > > Team Cymru could be a good first point of reference.<br>
> > ><a href="https://www.cymru.com/Documents/icmp-messages.html"> https:
> //www.cymru.com/Documents/icmp-messages.html</a><br>
> ><br>
> > Ouch. That page doesn't suggest allowing ICMP "Packet Too Big&q
> uot; which<br>
> > is a recipe for tarpitting TCP should you use IPv6 on a <1500 MTU<br>
> > network and don't hack your TCP MSS.<br>
> ></p>
> <p dir="ltr">The better you look, the more you see.<br></p>
> <p dir="ltr">IPv6 version:</p>
> <p dir="ltr">"Recommendations for Filtering ICMPv6 Messages in Firewalls
> "<br>
> <a href="https://tools.ietf.org/html/rfc4890">https://tools.ietf.org/html/rfc
> 4890</a><br></p>
> <p dir="ltr">Toot!</p>
> <p dir="ltr"><a href="http://www.slideshare.net/mobile/MarkSmith214/wysrrfcsa
> ndids">http://www.slideshare.net/mobile/MarkSmith214/wysrrfcsandids</a> _____
> __________________________________________<br>
> > AusNOG mailing list<br>
> ><a href="mailto:AusNOG at lists.ausnog.net"> AusNOG at lists.ausnog.net</a><br>
> ><a href="http://lists.ausnog.net/mailman/listinfo/ausnog"> http://lists.a
> usnog.net/mailman/listinfo/ausnog</a><br>
> </p>
>
> --001a114786ecb672bc0525311b2b--
>
> --===============2159031946421068486==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
> --===============2159031946421068486==--
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the AusNOG
mailing list