[128926] in North American Network Operators' Group
Re: Should routers send redirects by default?
daemon@ATHENA.MIT.EDU (Owen DeLong)
Fri Aug 20 16:15:34 2010
From: Owen DeLong <owen@delong.com>
To: Christopher Morrow <christopher.morrow@gmail.com>
In-Reply-To: <AANLkTimbJ4g7DigSBeToJR33NPF4CYrHzAgamTwPQd=k@mail.gmail.com>
Date: Fri, 20 Aug 2010 13:10:25 -0700
Cc: nanog list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Redirects in IPv6 are no worse nor better an idea than unauthenticated =
RAs for default routers with nearly identical security implications.
Owen
Sent from my iPad
On Aug 20, 2010, at 10:20 AM, Christopher Morrow =
<christopher.morrow@gmail.com> wrote:
> Polling a little bit here, there's an active discussion going on
> 6man@ietf about whether or not v6 routers should:
> o be required to implement ip redirect functions (icmpv6 redirect)
> o be sending these by default
>=20
> Essentially 12+ years ago in RFC2461
> (http://www.ietf.org/rfc/rfc2461.txt) and later in RFC4861
> (http://tools.ietf.org/html/rfc4861) there are a set of message types
> defined and use cases discussed which seem to lead to the idea that:
> routers should be reqiured to implement redirect logic/functionality
> routers should by default be enabled to send these redirect messages.
>=20
> In ipv4 there's a relatively widely used practice of disabling ip
> redirects. secure router and secure host templates disable this
> functionality, and have for quite some time. There are a host of
> reasons for this I don't really want to debate them though :) It would
> be instructive to get a sense of how many folks do NOT disable this
> sort of thing, or how many folks RELY on these functions working in
> their network build today.
>=20
> For the 6man discussion though, I presume that in ipv4 we take a set
> of configs/actions because of somewhat sane reasons, I suspect we
> would want to have the same config/end-state in v6? One proposal is to
> do this with:
> o routers are required to be able to send redirect messages
> o routers should NOT do this by default
>=20
> With the proviso that some consenting adults may choose to enable by
> default on certain platforms (cabl/dsl CPE, enterprise-LAN)... if that
> muddies the waters it'd be nice to just hear about the proposal there
> and leave the hinkiness of the rest out of the picture :) I hope that
> folks who currently run v6 network(s) might respond, there are quite a
> few v6 operators here... I'm looking at you owen/jjb/au-dsl-folk... :)
>=20
> thanks for your time, of couse if you want to chat more directly about
> this the 6man list is open and at:
> <http://www.ietf.org/mail-archive/web/ipv6/current/maillist.html>
>=20
> -Chris
