Should routers send redirects by default?

James Hess mysidia at gmail.com
Thu Aug 26 01:08:32 UTC 2010


On Fri, Aug 20, 2010 at 4:08 PM, Butch Evans <butche at butchevans.com> wrote:
I would suggest the recommendation be that ICMP Redirects, proxy ARP,
directed broadcast, source routing,   and  acceptance/usage
of all fancy/surprising features should be off by default.   Where
"surprising"  is defined as the sort of thing that  is nonessential,
has questionable benefits,
can cause problems,  and that people will forget to turn off.

Redirects seem to fall into the non-essential  with questionable
benefits  (in most cases) category.


> For most of the networks that I manage (or help to manage), I can see no  reason why this would be an issue.

If none of your hosts accept redirects,  then it is not really
apparent that redirects are harmful. If some of your hosts accept
redirects,  then redirects may be
capable of causing headaches.   You might have a gateway using a
protocol such as VRRP,  with redundancy for the default gateway
address of subnet $X.

And you have other routers for other subnets which just happen to have
an  extra ip on subnet $X.

But the other subnets' routers'  IPs on subnet $X are not redundant,
and the packets are supposed take a secondary route if that "second
hop"  router goes down,
since the   $X  default gateway will dynamically figure this out in a
couple of seconds.

Then  the ICMP redirect  becomes a redirect to /dev/null.
And almost random sets of hosts will lose communications with each
other for the redirect timeout duration, if they are not smart enough
to implement methods of detecting the redirect is now bad.


Sending ICMP redirects is not a huge security risk.  ACCEPTING
redirects is a larger risk. The redirects can be used by an adversary
that acts as a "router",
to extend the lifetime of   or increase the effectiveness of an ARP
hijacking  or switch CAM flooding tactic,  to continue to steal
traffic from a host,
and ensure they get every packet.      The adversary with an IP on the
same subnet as target hosts can use forged ICMP redirects,  in order
to cause hosts
to misdirect packets sent to certain IPs,  so that  the  attacker's
local subnet IP address is  the first hop in the path,   instead of
the hosts' default gateway.


--
-J




More information about the NANOG mailing list