Should routers send redirects by default?

Jared Mauch jared at puck.nether.net
Fri Aug 20 20:03:54 UTC 2010


On Aug 20, 2010, at 3:56 PM, Butch Evans wrote:

> On Fri, 2010-08-20 at 13:20 -0400, Christopher Morrow wrote: 
>> Polling a little bit here, there's an active discussion going on
>> 6man at ietf about whether or not v6 routers should:
>>  o be required to implement ip redirect functions (icmpv6 redirect)
>>  o be sending these by default
> 
> I do not currently have an IPv6 deployment, so my input may be lacking
> in real usefulness here.  With IPv4, however, I have been a little
> irritated at a few situations where I NEEDED this to work and it did not
> (certain PIX routers come to mind here).  There are risks involved with
> ANY "automated" type traffic to be sure, but for my money, it SHOULD be
> possible to configure every router to support the network needs.  So for
> my money, I'd suggest:
> 
> * routers MUST support ip redirect
> * "default" configurations irrelevant to me
> 
> I do agree with one or two of the other posters that it should not be
> within the purview of the IETF to "mandate" these defaults.  Each of us
> will learn the defaults of the particular gear we use and can adjust
> config templates to match, given the needs of the network we are
> deploying.  Just my $0.02 (may be worth less than that)  :-)

One of the challenges is that some vendors have a poor track-record of
documenting these defaults.  this means unless you frequently sample
your network traffic, you may not see your device sending decnet mop
messages, or ipv6 redirects :)

Personally (and as the instigator in the ipv6/6man discussion) if the
vendors could be trusted to expose their default settings in their
configs, i would find a default of ON to be more acceptable.  As their
track-record is poor, and the harm has been realized in the network we
operate (at least), I am advocating that as a matter of policy enabling
redirects not be a default-on policy.  If people want to hang themselves
that's their problem, but at least they won't come with a hidden noose 
around their neck.

- Jared




More information about the NANOG mailing list