[104703] in North American Network Operators' Group
Re: [NANOG] Limiting ICMP
daemon@ATHENA.MIT.EDU (Sean Donelan)
Fri May 23 19:24:07 2008
Date: Fri, 23 May 2008 19:23:57 -0400 (EDT)
From: Sean Donelan <sean@donelan.com>
To: John Kristoff <jtk@centergate.net>
In-Reply-To: <200805212115.m4LLFcBJ016955@larry.centergate.com>
Cc: Nanog@merit.edu
Errors-To: nanog-bounces@nanog.org
On Wed, 21 May 2008, John Kristoff wrote:
> In the environments where I've done this, my experience was that it was
> an acceptable practice at the time and in a couple cases it did help the
> net upstream when something went wrong (e.g. this did stop some real
> DoS traffic for me more than once). I made use of protocol counters or
> some monitoring tools to ensure they were not unnecessarily dropping
> valid packets. Your mileage may vary of course, as it apparently does?
Welcome to the wonderful world of deciding on "defaults." Unfortunately,
the people most likely to be negatively affected by defaults are also
people least likely to know the consequences of those defaults.
Is it better to set defaults conservatively and allow people who want
more to expand them? Or better to set defaults liberally and allow
people who want less to reduce them?
