Should routers send redirects by default?

Butch Evans butche at butchevans.com
Wed Aug 25 03:08:57 UTC 2010


On Fri, 2010-08-20 at 21:34 -0400, Brandon Ross wrote: 
> So far I have not heard a single compelling argument for how the 
> _transmittal_ of ICMP redirects can cause any signficicant harm to a 
> network other than what the other typical protocols that are enabled by 
> defualt (ping, can't fragement, etc) cause.  I will make the statement:

I agree with you here, Brandon.  I asked the question: "What is the real
security hole?" because I cannot see any real risk here for MOST of the
networks that I am involved in.  I can see the possibility of MITM
attacks with ICMP redirects, but that is not the case for (as you point
out) a router that issues an ICMP redirect.  Also, it is not my
experience that most host OS have this disabled either.  That being the
case, it seems to me that eliminating the behavior of transmitting these
redirects in a router are of little value in protecting against MITM
attacks.  

> The transmittal of ICMP redirects by a router _cannot_ be exploited to 
> create a man in the middle attack.

I'd have to agree with this.  More because my limited research (which
includes responses I've seen on this thread) seems to indicate that this
is the case.  

> Before anyone responds to that statement, please read it very carefully. 
> This statement does not comment on whether a host or router should be 
> configured to _receive_ an ICMP redirect and act on it, that clearly can 
> be used to create a MITM attack.

If a network has a single router, then wouldn't this also create a DOS
situation under the right circumstances?  I mean, if it can create MITM,
it would HAVE to also create DOS possibilities.  What is the distance of
a route learned from an ICMP redirect?  If it is greater than 0
(connected route) or 1 (static route) but less than the cost of other
dynamically learned routes, then I can see the why this may be a problem
for a router to respond to an ICMP redirect packet.


-- 
********************************************************************
* Butch Evans                   * Professional Network Consultation*
* http://www.butchevans.com/    * Network Engineering              *
* http://store.wispgear.net/    * Wired or Wireless Networks       *
* http://blog.butchevans.com/   * ImageStream, Mikrotik and MORE!  *
********************************************************************





More information about the NANOG mailing list