Should routers send redirects by default?

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Fri Aug 20 21:54:32 UTC 2010


On Fri, 20 Aug 2010 16:08:19 CDT, Butch Evans said:

> Maybe I'm missing something.  Can you point me to something that will
> help my understand WHY an ICMP redirect is such a huge security concern?
> For most of the networks that I manage (or help to manage), I can see no
> reason why this would be an issue.

In general, it's not a big deal, except that unlike a proper routing protocol
where you can redirect a /16 or a /default at a time and withdraw it when
needed, ICMP redirects tend to form host routes that have to individually be
redirected back if the routing flips back to its original status.

Until a PC or something on the network gets pwned, and issues selective forged
ICMP redirects to declare itself a router and the appropriate destination for
some traffic, which it can then MITM to its heart's content. *Then* you truly
have a manure-on-fan situation.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20100820/eb894354/attachment.sig>


More information about the NANOG mailing list