Should routers send redirects by default?
Eric J. Katanich
ekat at onyxlight.net
Sat Aug 21 01:08:17 UTC 2010
On Fri, 20 Aug 2010 18:16:35 EDT, Brandon Ross said:
> How does turning off ICMP redirects on the router prevent a rouge PC from
> sending ICMP redirects to it's neighbors?
If I know for a fact that the network is designed such that I will never ever
receive a valid ICMP redirect because there is exactly one route off the
network, I can safely turn off "accept ICMP redirects" and be done with it.
If I have to allow ICMP in, it becomes a much more interesting iptables/whatever
issue.
On Fri, 20 Aug 2010 15:34:17 PDT, Owen DeLong said:
> This is worse than said PC issuing rogue RAs exactly how?
It's the exact same problem, actually.
> Perhaps we should pressure switch vendors to add ICMP Redirect
> protection to the RA Guard feature they haven't implemented yet?
You mean you aren't already? ;)
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ATT61001..txt
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20100820/d73a9897/attachment.txt>
More information about the NANOG
mailing list