Should routers send redirects by default?

Jared Mauch jared at puck.nether.net
Fri Aug 20 17:29:07 CDT 2010


See below

Jared Mauch

On Aug 20, 2010, at 6:16 PM, Brandon Ross <bross at pobox.com> wrote:

> On Fri, 20 Aug 2010, Valdis.Kletnieks at vt.edu wrote:
> 
>> Until a PC or something on the network gets pwned, and issues selective forged
>> ICMP redirects to declare itself a router and the appropriate destination for
>> some traffic, which it can then MITM to its heart's content. *Then* you truly
>> have a manure-on-fan situation.
> 
> I believe the question was along the lines of, "why do I turn this off on my router?"
> 
> How does turning off ICMP redirects on the router prevent a rouge PC from sending ICMP redirects to it's neighbors?
> 
> I'm in the same boat here.  I know there's a lot of conventional wisdom that says to turn it off, but I'm yet to hear a convincing argument as to why I should bother.  Now configuring your hosts to ignore them, that I could understand.


The issue is routers typically do this in software requiring a punt and CPU theft from bgp, ospf etc. 
> 
> -- 
> Brandon Ross                                              AIM:  BrandonNRoss
>                                                               ICQ:  2269442
>                                   Skype:  brandonross  Yahoo:  BrandonNRoss




More information about the NANOG mailing list