All,
Recall that we identified a gap in the SLPF. As currently written, the SLPF does not support deny (or allow) traffic based on ICMP type.
Here are three proposals:
ONE: Overload the ipv*_connection target.
Add text in section 2.1.2.2
"Semantics / requirements as they pertain to ipv*_connection
- Proto= TCP - 5 tuple is proto=TCP, src-ip, dst-ip, src-port, dest-port
- Proto= UDP - 5 tuple is proto=UDP, src-ip, dst-ip, src-port, dest-port
- Proto= ICMP - 5 tuple is proto=ICMP, src-ip, dst-ip, icmp-type, icmp-code
- Proto= any other - 5 tuple is proto, src-ip, dst-ip, unused, unused
TWO: Create a new target type(s) for ICMP with properties of src address, dest address and ICMP type
THREE: Expand the ip_connection to a 'six-tuple' vice five tuple to accommodate the ICMP type
Please provide your insights/ feedback in this matter.
Also, it would be most helpful if you indicated your preferred approach or indicate that oyu have no preference
Thank you
VR
Joe B
Joe Brule
Engineering (Y2D122)
FNX-3, B4A335
410.854.4045
'Adnius ad retinedam puritem noster peciosus corporalis fluidorum…'