WIndows Updates Fail Via IPv6 - Update!

• Previous message (by thread): WIndows Updates Fail Via IPv6 - Update!
• Next message (by thread): WIndows Updates Fail Via IPv6 - Update!
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hey Rich,

> I've pointed folks at this for years:
>         ICMP Packet Filtering v1.2
>         http://www.cymru.com/Documents/icmp-messages.html

To me this seems anti-pattern. It seems it was written on basis of
'what we know we allow, what we don't know we deny'. With assumption
that ICMP dangerous. Similarly we break IP extensibility by not
allowing IP protocols we don't know about.
There are many, hopefully obvious reasons that just because we don't
know about it, doesn't mean it's dangerous. One more obvious is, that
it may not exist yet.

To me, the correct pattern is here is to deny things you know to be
harmful and can justify it reasonably and test that justification over
time for its validity.

One particular example springs to mind, ICMP Timestamp, this allows
you to measure unidirectional latency to millisecond precision, unless
we specifically break it. It's been useful troubleshooting tool to me
in the past, saving time and money.


-- 
  ++ytti

• Previous message (by thread): WIndows Updates Fail Via IPv6 - Update!
• Next message (by thread): WIndows Updates Fail Via IPv6 - Update!
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]