Re: I-D.ietf-v6ops-cpe-simple-security-09 - ICMP Error Messages

[james woodyatt <jhw@apple.com>]

On Mar 8, 2010, at 00:22, Rémi Després wrote:
> 
> In the draft, the only REC-n concerning ICMP is so far:
> "REC-16: If a gateway forwards a UDP exchange, it MUST also forward ICMP Destination Unreachable messages containing UDP headers that match the exchange state record."
> 
> In my understanding, what is needed is, for each of the transport protocols:
> "REC-n: If a gateway forwards a NNN exchange, it MUST also forward, in both directions, ICMP Error messages containing UDP headers that match the exchange state record."

Please also see REC-29, REC-34 and REC-38.

> - Forwarded error messages must be also for TCP, DCCP, etc., and must be more general than just Destination Unreachable: they must include in particular Packet Too Big notifications which are essential for IPv6 path-MTU discovery.

Agreed, but I'm now inclined to remove all four of those recommendations and insert an explicit recommendation into the "Stateless Filters" section that cites RFC 4890 and specifically references section 4.3.1 "Traffic The Must Not Be Dropped".

Does anyone object to that revision?


--
james woodyatt <jhw@apple.com>
member of technical staff, communications engineering