Should routers send redirects by default?
Jared Mauch
jared at puck.nether.net
Fri Aug 20 22:29:07 UTC 2010
See below
Jared Mauch
On Aug 20, 2010, at 6:16 PM, Brandon Ross <bross at pobox.com> wrote:
> On Fri, 20 Aug 2010, Valdis.Kletnieks at vt.edu wrote:
>
>> Until a PC or something on the network gets pwned, and issues selective forged
>> ICMP redirects to declare itself a router and the appropriate destination for
>> some traffic, which it can then MITM to its heart's content. *Then* you truly
>> have a manure-on-fan situation.
>
> I believe the question was along the lines of, "why do I turn this off on my router?"
>
> How does turning off ICMP redirects on the router prevent a rouge PC from sending ICMP redirects to it's neighbors?
>
> I'm in the same boat here. I know there's a lot of conventional wisdom that says to turn it off, but I'm yet to hear a convincing argument as to why I should bother. Now configuring your hosts to ignore them, that I could understand.
The issue is routers typically do this in software requiring a punt and CPU theft from bgp, ospf etc.
>
> --
> Brandon Ross AIM: BrandonNRoss
> ICQ: 2269442
> Skype: brandonross Yahoo: BrandonNRoss
More information about the NANOG
mailing list