Should routers send redirects by default?
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Fri Aug 20 23:31:38 UTC 2010
On Fri, 20 Aug 2010 18:16:35 EDT, Brandon Ross said:
> How does turning off ICMP redirects on the router prevent a rouge PC from
> sending ICMP redirects to it's neighbors?
If I know for a fact that the network is designed such that I will never ever
receive a valid ICMP redirect because there is exactly one route off the
network, I can safely turn off "accept ICMP redirects" and be done with it.
If I have to allow ICMP in, it becomes a much more interesting iptables/whatever
issue.
On Fri, 20 Aug 2010 15:34:17 PDT, Owen DeLong said:
> This is worse than said PC issuing rogue RAs exactly how?
It's the exact same problem, actually.
> Perhaps we should pressure switch vendors to add ICMP Redirect
> protection to the RA Guard feature they haven't implemented yet?
You mean you aren't already? ;)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20100820/91e3719b/attachment.sig>
More information about the NANOG
mailing list