Should routers send redirects by default?
Brandon Ross
bross at pobox.com
Sat Aug 21 01:34:15 UTC 2010
On Fri, 20 Aug 2010, Ricky Beam wrote:
> On Fri, 20 Aug 2010 20:08:34 -0400, Brandon Ross <bross at pobox.com> wrote:
>> Okay, I'll ask again. Exactly how does disabling ICMP redirects on my
>> router prevent traffic from being intercepted?
>
> It stops *one vector* of MITM attack. If a router honors redirects (and it
> never should), an evil host can intercept traffic of hosts that aren't on the
> local network.
Are you saying that turning off the transmittal of ICMP redirects on most
routers will simultaniously disable the honoring of ICMP redirects that
that router receives?
If that's not what you are saying then you are wrong.
> This is 5000% beyond the scope of the original question, btw.
I disagree. The decision about whether or not a feature should be on by
default or not should be clear evidence that said feature is/could be
harmful.
So far I have not heard a single compelling argument for how the
_transmittal_ of ICMP redirects can cause any signficicant harm to a
network other than what the other typical protocols that are enabled by
defualt (ping, can't fragement, etc) cause. I will make the statement:
The transmittal of ICMP redirects by a router _cannot_ be exploited to
create a man in the middle attack.
Before anyone responds to that statement, please read it very carefully.
This statement does not comment on whether a host or router should be
configured to _receive_ an ICMP redirect and act on it, that clearly can
be used to create a MITM attack.
How many of you that routinely disable ICMP redirect on your routers also
routinely disable the reception of ICMP redirects on your hosts? For
those of you that do not, why not?
--
Brandon Ross AIM: BrandonNRoss
ICQ: 2269442
Skype: brandonross Yahoo: BrandonNRoss
More information about the NANOG
mailing list