Should routers send redirects by default?

Butch Evans butche at
Fri Aug 20 22:04:35 UTC 2010

On Fri, 2010-08-20 at 17:54 -0400, Valdis.Kletnieks at wrote: 
> Until a PC or something on the network gets pwned, and issues selective forged
> ICMP redirects to declare itself a router and the appropriate destination for
> some traffic, which it can then MITM to its heart's content. *Then* you truly
> have a manure-on-fan situation.

While I don't disagree with your assessment, isn't this true beyond JUST
this one function?  I mean, if I understand the "problem" correctly, is
it the EXISTENCE of ICMP redirect that is the "security hole" or is it
that it is used by a router?  Don't most host operating systems ignore
an ICMP redirect for a host if they are not asking for a route anyway?
(I'm not sure I stated that very well...)  In other words, ICMP redirect
is NOT a broadcast and so it would be ignored if it wasn't directed to
my specific MAC.  Am I mistaken in that assumption?

* Butch Evans                   * Professional Network Consultation*
*    * Network Engineering              *
*    * Wired or Wireless Networks       *
*   * ImageStream, Mikrotik and MORE!  *

More information about the NANOG mailing list