Re: ipfilter, return-icmp and RFC1122

[Jim Wise <jwise%draga.com@localhost>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 5 Jun 2008, Dennis Ferguson wrote:

>> Well, the default behavior is arguably right for a router (the more
>> common IPF use case.  In any case, the error should be a rare one --
>> sssuming proper config of border routers, any broadcast packet you see
>> reaching a host will have originated on the local subnet (or close), so
>> such a response should be rare and local.
>
>
> I'm not clear on how this behaviour could be argued to be any more correct
> for a router than a host.  Here's what RFC 1812 says:

It's clear that a router should be rejecting a broadcast packet which 
would transit that router in almost all cases.

If the network behind the router is otherwise firewalled, the router 
should return the same error as it would for any other address on that 
network -- otherwise, the router's lack of a response would confirm the 
existence of the otherwise-firewalled network (a non-configured network 
having no broadcast address).

- -- 
                                Jim Wise
                                jwise%draga.com@localhost
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (NetBSD)

iD8DBQFISHwXq/KRbT0KwbwRAnLLAJ9BcmaR0jd/P8SLANW1OZYjnpHo+wCePc2P
+/Ohm+xHyFRqNfhNHIxLkgE=
=3FQY
-----END PGP SIGNATURE-----