Should routers send redirects by default?

Eric J. Katanich ekat at
Sat Aug 21 01:08:17 UTC 2010

On Fri, 20 Aug 2010 18:16:35 EDT, Brandon Ross said:

> How does turning off ICMP redirects on the router prevent a rouge PC from 
> sending ICMP redirects to it's neighbors?

If I know for a fact that the network is designed such that I will never ever
receive a valid ICMP redirect because there is exactly one route off the
network, I can safely turn off "accept ICMP redirects" and be done with it.

If I have to allow ICMP in, it becomes a much more interesting iptables/whatever

On Fri, 20 Aug 2010 15:34:17 PDT, Owen DeLong said:

> This is worse than said PC issuing rogue RAs exactly how?

It's the exact same problem, actually.

> Perhaps we should pressure switch vendors to add ICMP Redirect
> protection to the RA Guard feature they haven't implemented yet?

You mean you aren't already? ;)
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ATT61001..txt
URL: <>

More information about the NANOG mailing list