© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
With my former ISP/cloud network engineer hat on, I'm not sure I completely agree with "block all traffic passing through the infrastructure unless you know what it is" since that's how we spent a decade or more having to hound service providers and equipment manufacturers to stop breaking VPNs when they blocked all IP protocols besides ICMP/UDP/TCP. Similar philosophies about ICMP types and IP options led to rampant MTU black holes, ECN not working on most of the Internet, et cetera. Postel's law: be conservative in what you do, be liberal in what you accept from others.
I do agree, though, that a control like "disable IPv6 support in my cloud network" ought to explicitly block all bare/unencapsulated IPv6 traffic (there's not much you can do about tunneled IPv6, nor should you try to unless you have a local policy that all manner of tunneled traffic is forbidden). Similarly, a security group or other packet filter which is intended to block everything with a default deny rule should block *everything* including traffic you don't support in other capacities.