Should routers send redirects by default?

Brandon Ross bross at pobox.com
Fri Aug 20 20:34:15 CDT 2010


On Fri, 20 Aug 2010, Ricky Beam wrote:

> On Fri, 20 Aug 2010 20:08:34 -0400, Brandon Ross <bross at pobox.com> wrote:
>> Okay, I'll ask again.  Exactly how does disabling ICMP redirects on my 
>> router prevent traffic from being intercepted?
>
> It stops *one vector* of MITM attack.  If a router honors redirects (and it 
> never should), an evil host can intercept traffic of hosts that aren't on the 
> local network.

Are you saying that turning off the transmittal of ICMP redirects on most 
routers will simultaniously disable the honoring of ICMP redirects that 
that router receives?

If that's not what you are saying then you are wrong.

> This is 5000% beyond the scope of the original question, btw.

I disagree.  The decision about whether or not a feature should be on by 
default or not should be clear evidence that said feature is/could be 
harmful.

So far I have not heard a single compelling argument for how the 
_transmittal_ of ICMP redirects can cause any signficicant harm to a 
network other than what the other typical protocols that are enabled by 
defualt (ping, can't fragement, etc) cause.  I will make the statement:

The transmittal of ICMP redirects by a router _cannot_ be exploited to 
create a man in the middle attack.

Before anyone responds to that statement, please read it very carefully. 
This statement does not comment on whether a host or router should be 
configured to _receive_ an ICMP redirect and act on it, that clearly can 
be used to create a MITM attack.

How many of you that routinely disable ICMP redirect on your routers also 
routinely disable the reception of ICMP redirects on your hosts?  For 
those of you that do not, why not?

-- 
Brandon Ross                                              AIM:  BrandonNRoss
                                                                ICQ:  2269442
                                    Skype:  brandonross  Yahoo:  BrandonNRoss




More information about the NANOG mailing list