[128933] in North American Network Operators' Group
Re: Should routers send redirects by default?
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Fri Aug 20 17:55:12 2010
To: Butch Evans <butche@butchevans.com>
In-Reply-To: Your message of "Fri, 20 Aug 2010 16:08:19 CDT."
<1282338499.29483.297.camel@localhost.localdomain>
From: Valdis.Kletnieks@vt.edu
Date: Fri, 20 Aug 2010 17:54:32 -0400
Cc: nanog list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--==_Exmh_1282341272_5424P
Content-Type: text/plain; charset=us-ascii
On Fri, 20 Aug 2010 16:08:19 CDT, Butch Evans said:
> Maybe I'm missing something. Can you point me to something that will
> help my understand WHY an ICMP redirect is such a huge security concern?
> For most of the networks that I manage (or help to manage), I can see no
> reason why this would be an issue.
In general, it's not a big deal, except that unlike a proper routing protocol
where you can redirect a /16 or a /default at a time and withdraw it when
needed, ICMP redirects tend to form host routes that have to individually be
redirected back if the routing flips back to its original status.
Until a PC or something on the network gets pwned, and issues selective forged
ICMP redirects to declare itself a router and the appropriate destination for
some traffic, which it can then MITM to its heart's content. *Then* you truly
have a manure-on-fan situation.
--==_Exmh_1282341272_5424P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFMbvmYcC3lWbTT17ARAv9bAJ4yZlieg57IDLSTYR+n3/0/gtQC9gCfaog5
42OsSis2XnUQCP9HQ9Du2zc=
=F3dH
-----END PGP SIGNATURE-----
--==_Exmh_1282341272_5424P--
