Should routers send redirects by default?

Owen DeLong owen at delong.com
Fri Aug 20 15:10:25 CDT 2010


Redirects in IPv6 are no worse nor better an idea than unauthenticated RAs for default routers with nearly identical security implications.

Owen


Sent from my iPad

On Aug 20, 2010, at 10:20 AM, Christopher Morrow <christopher.morrow at gmail.com> wrote:

> Polling a little bit here, there's an active discussion going on
> 6man at ietf about whether or not v6 routers should:
>  o be required to implement ip redirect functions (icmpv6 redirect)
>  o be sending these by default
> 
> Essentially 12+ years ago in RFC2461
> (http://www.ietf.org/rfc/rfc2461.txt) and later in RFC4861
> (http://tools.ietf.org/html/rfc4861) there are a set of message types
> defined and use cases discussed which seem to lead to the idea that:
>  routers should be reqiured to implement redirect logic/functionality
>  routers should by default be enabled to send these redirect messages.
> 
> In ipv4 there's a relatively widely used practice of disabling ip
> redirects. secure router and secure host templates disable this
> functionality, and have for quite some time. There are a host of
> reasons for this I don't really want to debate them though :) It would
> be instructive to get a sense of how many folks do NOT disable this
> sort of thing, or how many folks RELY on these functions working in
> their network build today.
> 
> For the 6man discussion though, I presume that in ipv4 we take a set
> of configs/actions because of somewhat sane reasons, I suspect we
> would want to have the same config/end-state in v6? One proposal is to
> do this with:
>  o routers are required to be able to send redirect messages
>  o routers should NOT do this by default
> 
> With the proviso that some consenting adults may choose to enable by
> default on certain platforms (cabl/dsl CPE, enterprise-LAN)... if that
> muddies the waters it'd be nice to just hear about the proposal there
> and leave the hinkiness of the rest out of the picture :) I hope that
> folks who currently run v6 network(s) might respond, there are quite a
> few v6 operators here... I'm looking at you owen/jjb/au-dsl-folk... :)
> 
> thanks for your time, of couse if you want to chat more directly about
> this the 6man list is open and at:
>  <http://www.ietf.org/mail-archive/web/ipv6/current/maillist.html>
> 
> -Chris




More information about the NANOG mailing list