Dave Dolson <[email protected]> wrote:
    > An ICMP extension could notify a sender that a 5-tuple connection is walled
    > off‎. It works for all IP protocols (TCP, UDP, GRE, even ICMP-echo).
    > ‎This will be more real-time than relying on the sender to periodically probe
    > well-known servers on port 80.

Agreed, it's good.  Like all ICMPs, we must assume that they could be forged.

    > Such a message should indicate a reason, which could be a URL to a JSON/REST
    > interface.
    > Or, it could simply be an event that means "go probe port 80 to get
    > redirected"

While I think it's slight less attackable to get redirected; I also favour
putting the URL in the packet, even if we ultimately can not trust it.

Michael Richardson <[email protected]>
 -= IPv6 IoT consulting =-

