Should routers send redirects by default?
Jared Mauch
jared at puck.nether.net
Sat Aug 21 14:26:59 UTC 2010
On Aug 21, 2010, at 2:11 AM, Yann GAUTERON wrote:
>
>
> 2010/8/20 Jared Mauch <jared at puck.nether.net>
>
> Personally (and as the instigator in the ipv6/6man discussion) if the
> vendors could be trusted to expose their default settings in their
> configs, i would find a default of ON to be more acceptable. As their
> track-record is poor, and the harm has been realized in the network we
> operate (at least), I am advocating that as a matter of policy enabling
> redirects not be a default-on policy. If people want to hang themselves
> that's their problem, but at least they won't come with a hidden noose
> around their neck.
>
> On Cisco routers (at least some of them), have you tried the command
> show running-config all
>
> This command displays all configuration, including hidden default values.
>
> This may help when this command is present.
>
> Don't know about other vendors.
This varies by IOS (software revision), and because not all devices
actually have the access to this "mainline" featureset due to when they
branched for their localized hardware support.
I certainly wish they could get there now, and it's better in the newer
access (CPE) hardware. While related, the larger problem IMHO is them
removing stuff like "show parser dump exec" and "show parser dump config".
I have been a supporter of exposed defaults for years, including "more secure"
and "more robust" defaults. The folks on the IETF list seem to think
that the existing rate-limit mechanics will protect the routers. We did not
arrive at these settings as a result of those rate-limits working properly
sadly.
- Jared
More information about the NANOG
mailing list