Should routers send redirects by default?
Christopher Morrow
morrowc.lists at gmail.com
Sat Aug 21 15:19:30 UTC 2010
I appreciate the discussion.. Eric, are you reflecting messages back
to the list without additional content for a reason?
list-admin folks, could we ping eric and see what's busted?
On Fri, Aug 20, 2010 at 9:08 PM, Eric J. Katanich <ekat at onyxlight.net> wrote:
> On 08/21/2010 02:08 AM, Brandon Ross wrote:
>> On Fri, 20 Aug 2010, Ricky Beam wrote:
>>
>>> I think it's almost universally disabled (by default) everywhere in
>>> IPv4 purely for security (traffic interception.)
>>
>> Okay, I'll ask again. Exactly how does disabling ICMP redirects on my
>> router prevent traffic from being intercepted?
>>
> As was mentioned in an other part of the thread.
>
> You disable it on the host and if no host is using it, you might as well
> disable it on the router as wel. Others mentioned
> some routers need to handle this in software instead of hardware, which
> is obviously slower.
>
> It might also help you notice you have a roque host when you are looking
> at your network-traffic and if you know your
> network doesn't have any ICMP-redirects normally.
>
> disabling on the host:
> OpenBSD:
> echo net.inet.icmp.rediraccept=0 >> /etc/sysctl.conf
> echo net.inet6.icmp6.rediraccept=0 >> /etc/sysctl.conf
> sysctl net.inet.icmp.rediraccept=0
> sysctl net.inet6.icmp6.rediraccept=0
>
> FreeBSD:
> echo net.inet.icmp.drop_redirect=0 >> /etc/sysctl.conf
> echo net.inet6.icmp6.rediraccept=0 >> /etc/sysctl.conf
> sysctl net.inet.icmp.drop_redirect=0
> sysctl net.inet6.icmp6.rediraccept=0
>
> Linux:
> echo net.ipv4.conf.all.accept_redirects = 0 >> /etc/sysctl.conf
> echo net.ipv4.conf.all.send_redirects = 0 >> /etc/sysctl.conf
> sysctl -p /etc/sysctl.conf
>
>
>
>
More information about the NANOG
mailing list