Should routers send redirects by default?

• Previous message (by thread): Should routers send redirects by default?
• Next message (by thread): Should routers send redirects by default?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 20 Aug 2010 18:16:35 EDT, Brandon Ross said:

> How does turning off ICMP redirects on the router prevent a rouge PC from 
> sending ICMP redirects to it's neighbors?

If I know for a fact that the network is designed such that I will never ever
receive a valid ICMP redirect because there is exactly one route off the
network, I can safely turn off "accept ICMP redirects" and be done with it.

If I have to allow ICMP in, it becomes a much more interesting iptables/whatever
issue.

On Fri, 20 Aug 2010 15:34:17 PDT, Owen DeLong said:

> This is worse than said PC issuing rogue RAs exactly how?

It's the exact same problem, actually.

> Perhaps we should pressure switch vendors to add ICMP Redirect
> protection to the RA Guard feature they haven't implemented yet?

You mean you aren't already? ;)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20100820/91e3719b/attachment.sig>

• Previous message (by thread): Should routers send redirects by default?
• Next message (by thread): Should routers send redirects by default?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]