Should routers send redirects by default?

Christopher Morrow christopher.morrow at gmail.com
Fri Aug 20 16:05:43 CDT 2010


On Fri, Aug 20, 2010 at 4:10 PM, Owen DeLong <owen at delong.com> wrote:
> Redirects in IPv6 are no worse nor better an idea than unauthenticated RAs for default routers with nearly identical security implications.

this answered a different question... wanna try answering the question
I posed originally? :)
-chris


> Owen
>
>
> Sent from my iPad
>
> On Aug 20, 2010, at 10:20 AM, Christopher Morrow <christopher.morrow at gmail.com> wrote:
>
>> Polling a little bit here, there's an active discussion going on
>> 6man at ietf about whether or not v6 routers should:
>>  o be required to implement ip redirect functions (icmpv6 redirect)
>>  o be sending these by default
>>
>> Essentially 12+ years ago in RFC2461
>> (http://www.ietf.org/rfc/rfc2461.txt) and later in RFC4861
>> (http://tools.ietf.org/html/rfc4861) there are a set of message types
>> defined and use cases discussed which seem to lead to the idea that:
>>  routers should be reqiured to implement redirect logic/functionality
>>  routers should by default be enabled to send these redirect messages.
>>
>> In ipv4 there's a relatively widely used practice of disabling ip
>> redirects. secure router and secure host templates disable this
>> functionality, and have for quite some time. There are a host of
>> reasons for this I don't really want to debate them though :) It would
>> be instructive to get a sense of how many folks do NOT disable this
>> sort of thing, or how many folks RELY on these functions working in
>> their network build today.
>>
>> For the 6man discussion though, I presume that in ipv4 we take a set
>> of configs/actions because of somewhat sane reasons, I suspect we
>> would want to have the same config/end-state in v6? One proposal is to
>> do this with:
>>  o routers are required to be able to send redirect messages
>>  o routers should NOT do this by default
>>
>> With the proviso that some consenting adults may choose to enable by
>> default on certain platforms (cabl/dsl CPE, enterprise-LAN)... if that
>> muddies the waters it'd be nice to just hear about the proposal there
>> and leave the hinkiness of the rest out of the picture :) I hope that
>> folks who currently run v6 network(s) might respond, there are quite a
>> few v6 operators here... I'm looking at you owen/jjb/au-dsl-folk... :)
>>
>> thanks for your time, of couse if you want to chat more directly about
>> this the 6man list is open and at:
>>  <http://www.ietf.org/mail-archive/web/ipv6/current/maillist.html>
>>
>> -Chris
>




More information about the NANOG mailing list