Should routers send redirects by default?

Butch Evans butche at butchevans.com
Wed Aug 25 21:14:37 CDT 2010


On Wed, 2010-08-25 at 20:08 -0500, James Hess wrote: 
> On Fri, Aug 20, 2010 at 4:08 PM, Butch Evans <butche at butchevans.com> wrote:
> I would suggest the recommendation be that ICMP Redirects, proxy ARP,
> directed broadcast, source routing,   and  acceptance/usage
> of all fancy/surprising features should be off by default.

Off by default, but be supported is my recommendation.  I am assuming
that the function in IPv6 is the same (or similar) to that of IPv4.
There was another post in this thread (I can't recall who it was that
posted it) that indicated there was more to the redirect in v6 than for
v4, but I am not yet very familiar with v6.  

> "surprising"  is defined as the sort of thing that  is nonessential,
> has questionable benefits,

Perhaps "questionable" to you, but I have had specific need to have ICMP
redirect for two specific networks.  In those networks it WAS essential
and had a very specific, measurable benefit.

> Redirects seem to fall into the non-essential  with questionable
> benefits  (in most cases) category.

You are being a little presumptuous here.  Perhaps for "most cases", I'd
agree that they are non-essential, but there are cases where it is
desirable and lack of support (as in the PIX) makes things very
difficult at times.

> If none of your hosts accept redirects,  then it is not really
> apparent that redirects are harmful. If some of your hosts accept
> redirects,  then redirects may be
> capable of causing headaches.   

In one case where I needed ICMP redirect to work, I had 2 routers on the
network (one was a Linux device and the other was a PIX).  Each of these
were terminating VPNs from various sources.  There were several (about
90) hosts on the LAN segment.  Each of these hosts had the PIX as their
default route.  It would have been a very simple matter to add routes to
the PIX and have it redirect the traffic destined for the remote
networks behind the Linux device.  The PIX, however, does not support
ICMP redirects AT ALL.  I'm all for securing a network segment, but
failure to support a valid function of ICMP is one reason I have never
purchased a PIX...and never will.  

I can see your point that it should be off by default.  But to be off
and not even supported is just wrong, IMHO.

-- 
********************************************************************
* Butch Evans                   * Professional Network Consultation*
* http://www.butchevans.com/    * Network Engineering              *
* http://store.wispgear.net/    * Wired or Wireless Networks       *
* http://blog.butchevans.com/   * ImageStream, Mikrotik and MORE!  *
********************************************************************





More information about the NANOG mailing list