Should routers send redirects by default?
nanog at 85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org
Fri Aug 20 19:43:39 CDT 2010
On Fri, 20 Aug 2010 19:49:43 -0400
"Ricky Beam" <jfbeam at gmail.com> wrote:
> On Fri, 20 Aug 2010 13:20:58 -0400, Christopher Morrow
> <christopher.morrow at gmail.com> wrote:
> > Polling a little bit here, there's an active discussion going on
> > 6man at ietf about whether or not v6 routers should:
> > o be required to implement ip redirect functions (icmpv6 redirect)
> > o be sending these by default
> > In ipv4 there's a relatively widely used practice of disabling ip
> > redirects.
> I think it's almost universally disabled (by default) everywhere in IPv4
> purely for security (traffic interception.) In a perfectly run network,
> redirects should never be necessary, so I'd think IPv6 should avoid going
> down that road again. (support OPTIONAL, never enabled by default.) [It's
> another insecure mistake IPv6 doesn't need to repeat.]
You're assuming the cost of always hair pinning traffic on an interface
is cheaper than issuing a redirect. Sometimes it won't be. 1 ICMP
redirect could result in potentially congestion inducing load being
shifted off of a single router's interface.
It seems that there might be a common and unstated assumption here that
ever router uses hardware forwarding and has high speed 1Gbps+
interfaces that have <50% utilisation. The majority of routers - CPE -
don't meet that assumption.
> As I recall from long long ago, Cisco IOS would deal with traffic
> differently depending on redirects... with redirects enabled, a redirect
> was sent and the packet dropped; with redirects disabled, the router
> hairpined the packets. I honestly don't know what today's versions do
> because I've never checked -- A can ping B, I move on. I turn redirects
> off on *outside* interfaces. Inside (trustable) interfaces vary -- I
> don't go out of my way to disable them.
More information about the NANOG