Should routers send redirects by default?
mysidia at gmail.com
Wed Aug 25 20:08:32 CDT 2010
On Fri, Aug 20, 2010 at 4:08 PM, Butch Evans <butche at butchevans.com> wrote:
I would suggest the recommendation be that ICMP Redirects, proxy ARP,
directed broadcast, source routing, and acceptance/usage
of all fancy/surprising features should be off by default. Where
"surprising" is defined as the sort of thing that is nonessential,
has questionable benefits,
can cause problems, and that people will forget to turn off.
Redirects seem to fall into the non-essential with questionable
benefits (in most cases) category.
> For most of the networks that I manage (or help to manage), I can see no reason why this would be an issue.
If none of your hosts accept redirects, then it is not really
apparent that redirects are harmful. If some of your hosts accept
redirects, then redirects may be
capable of causing headaches. You might have a gateway using a
protocol such as VRRP, with redundancy for the default gateway
address of subnet $X.
And you have other routers for other subnets which just happen to have
an extra ip on subnet $X.
But the other subnets' routers' IPs on subnet $X are not redundant,
and the packets are supposed take a secondary route if that "second
hop" router goes down,
since the $X default gateway will dynamically figure this out in a
couple of seconds.
Then the ICMP redirect becomes a redirect to /dev/null.
And almost random sets of hosts will lose communications with each
other for the redirect timeout duration, if they are not smart enough
to implement methods of detecting the redirect is now bad.
Sending ICMP redirects is not a huge security risk. ACCEPTING
redirects is a larger risk. The redirects can be used by an adversary
that acts as a "router",
to extend the lifetime of or increase the effectiveness of an ARP
hijacking or switch CAM flooding tactic, to continue to steal
traffic from a host,
and ensure they get every packet. The adversary with an IP on the
same subnet as target hosts can use forged ICMP redirects, in order
to cause hosts
to misdirect packets sent to certain IPs, so that the attacker's
local subnet IP address is the first hop in the path, instead of
the hosts' default gateway.
More information about the NANOG