[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Fwd: draft-ietf-opsec-filter-caps-08.txt

To: "Chris Morrow" <morrowc@ops-netman.net>
Subject: Fwd: draft-ietf-opsec-filter-caps-08.txt
From: "George Jones" <eludom@gmail.com>
Date: Thu, 28 Jun 2007 04:12:50 -0400
Cc: opsec@ops.ietf.org
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=gk9kE7hUysJKUoiPvGs3/41U8sg7WRX9MckQC3Nsyc/HHz4bKyyUC36s7xZluNbDwNo9UDoOTROwFfh5+K9iruxqGpNT2H8zAY1z3UVjYLekmw+xkYeNbk4YmaYc/Zv5y8kpHmyDVOrMGxh/JreMMik8TfOOaSSvtjMTWVhjgfc=
In-reply-to: <F5A79497-F473-4983-97EC-E97B5B399061@tcb.net>
References: <E1Hxqaj-0003pn-06@stiedprstage1.ietf.org> <C35ADD020AEBD04383C1F7F644227FDF03D83EBF@xmb-sjc-227.amer.cisco.com> <468288A4.9050208@juniper.net> <F5A79497-F473-4983-97EC-E97B5B399061@tcb.net>
Reply-to: gmj@pobox.com

Chris, I think that was your text.    Care to take a crack that the rewording ?

---George

---------- Forwarded message ----------
From: Danny McPherson <danny@tcb.net>
Date: Jun 27, 2007 10:01 PM
Subject: draft-ietf-opsec-filter-caps-08.txt
To: opsec@ops.ietf.org

Re-reading this I-D one trivial technical comment from section
3.6:

      Some denial of service attacks are based on the ability to flood
      the victim with ICMP traffic.  One quick way (admittedly with
some
      negative side effects, e.g. breaking path MTU discovery) to
      mitigate the effects of such attacks is to drop all ICMP traffic
      headed toward the victim.

I'm not sure how dropping ICMP traffic *toward the victim* breaks
P-MTU, unless it's some ICMP-based Application that's looking to
discover the path MTU.  If you're dropping ICMP traffic back towards
the source (i.e., the ICMP Destination Unreachable - fragmentation
needed and DF set) responses I'd understand, but I don't fully
understand the "e.g." above.  Was this an oversight or aim I missing
something?

Thanks!

-danny

Follow-Ups:
- Re: Fwd: draft-ietf-opsec-filter-caps-08.txt
  - From: Ron Bonica <rbonica@juniper.net>
- RE: draft-ietf-opsec-filter-caps-08.txt
  - From: "Barry Greene \(bgreene\)" <bgreene@cisco.com>

References:
- RE: Last Call: draft-ietf-opsec-filter-caps (Filtering and Rate Limiting Capabilities for IP Network Infrastructure) to BCP
  - From: "Barry Greene \(bgreene\)" <bgreene@cisco.com>
- Re: Last Call: draft-ietf-opsec-filter-caps (Filtering and Rate Limiting Capabilities for IP Network Infrastructure) to BCP
  - From: Ron Bonica <rbonica@juniper.net>
- draft-ietf-opsec-filter-caps-08.txt
  - From: Danny McPherson <danny@tcb.net>

Prev by Date: Re: Last Call: draft-ietf-opsec-filter-caps (Filtering and Rate Limiti ng Capabilities for IP Network Infrastructure) to BCP
Next by Date: Re: Last Call: draft-ietf-opsec-filter-caps (Filtering and Rate Limiting Capabilities for IP Network Infrastructure) to BCP
Previous by thread: Re: draft-ietf-opsec-filter-caps-08.txt
Next by thread: RE: draft-ietf-opsec-filter-caps-08.txt
Index(es):
- Date
- Thread