Should routers send redirects by default?

Leen Besselink leen at consolejunkie.net
Fri Aug 20 20:01:16 CDT 2010


On 08/21/2010 02:08 AM, Brandon Ross wrote:
> On Fri, 20 Aug 2010, Ricky Beam wrote:
>
>> I think it's almost universally disabled (by default) everywhere in 
>> IPv4 purely for security (traffic interception.)
>
> Okay, I'll ask again.  Exactly how does disabling ICMP redirects on my 
> router prevent traffic from being intercepted?
>
As was mentioned in an other part of the thread.

You disable it on the host and if no host is using it, you might as well 
disable it on the router as wel. Others mentioned
some routers need to handle this in software instead of hardware, which 
is obviously slower.

It might also help you notice you have a roque host when you are looking 
at your network-traffic and if you know your
network doesn't have any ICMP-redirects normally.

disabling on the host:
OpenBSD:
echo net.inet.icmp.rediraccept=0 >> /etc/sysctl.conf
echo net.inet6.icmp6.rediraccept=0 >> /etc/sysctl.conf
sysctl net.inet.icmp.rediraccept=0
sysctl net.inet6.icmp6.rediraccept=0

FreeBSD:
echo net.inet.icmp.drop_redirect=0 >> /etc/sysctl.conf
echo net.inet6.icmp6.rediraccept=0 >> /etc/sysctl.conf
sysctl net.inet.icmp.drop_redirect=0
sysctl net.inet6.icmp6.rediraccept=0

Linux:
echo net.ipv4.conf.all.accept_redirects = 0 >> /etc/sysctl.conf
echo net.ipv4.conf.all.send_redirects = 0 >> /etc/sysctl.conf
sysctl -p /etc/sysctl.conf






More information about the NANOG mailing list