Should routers send redirects by default?
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Fri Aug 20 21:54:32 UTC 2010
On Fri, 20 Aug 2010 16:08:19 CDT, Butch Evans said:
> Maybe I'm missing something. Can you point me to something that will
> help my understand WHY an ICMP redirect is such a huge security concern?
> For most of the networks that I manage (or help to manage), I can see no
> reason why this would be an issue.
In general, it's not a big deal, except that unlike a proper routing protocol
where you can redirect a /16 or a /default at a time and withdraw it when
needed, ICMP redirects tend to form host routes that have to individually be
redirected back if the routing flips back to its original status.
Until a PC or something on the network gets pwned, and issues selective forged
ICMP redirects to declare itself a router and the appropriate destination for
some traffic, which it can then MITM to its heart's content. *Then* you truly
have a manure-on-fan situation.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20100820/eb894354/attachment.sig>
More information about the NANOG
mailing list