draft-ietf-opsec-filter-caps-08.txt

[Danny McPherson <danny@tcb.net>]

Re-reading this I-D one trivial technical comment from section
3.6:

      Some denial of service attacks are based on the ability to flood
      the victim with ICMP traffic.  One quick way (admittedly with  
some
      negative side effects, e.g. breaking path MTU discovery) to
      mitigate the effects of such attacks is to drop all ICMP traffic
      headed toward the victim.

I'm not sure how dropping ICMP traffic *toward the victim* breaks
P-MTU, unless it's some ICMP-based Application that's looking to
discover the path MTU.  If you're dropping ICMP traffic back towards
the source (i.e., the ICMP Destination Unreachable - fragmentation
needed and DF set) responses I'd understand, but I don't fully
understand the "e.g." above.  Was this an oversight or aim I missing
something?

Thanks!

-danny