[128936] in North American Network Operators' Group
Re: Should routers send redirects by default?
daemon@ATHENA.MIT.EDU (Butch Evans)
Fri Aug 20 18:04:56 2010
From: Butch Evans <butche@butchevans.com>
To: nanog list <nanog@nanog.org>
In-Reply-To: <156200.1282341272@localhost>
Date: Fri, 20 Aug 2010 17:04:35 -0500
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Fri, 2010-08-20 at 17:54 -0400, Valdis.Kletnieks@vt.edu wrote:
> Until a PC or something on the network gets pwned, and issues selective forged
> ICMP redirects to declare itself a router and the appropriate destination for
> some traffic, which it can then MITM to its heart's content. *Then* you truly
> have a manure-on-fan situation.
While I don't disagree with your assessment, isn't this true beyond JUST
this one function? I mean, if I understand the "problem" correctly, is
it the EXISTENCE of ICMP redirect that is the "security hole" or is it
that it is used by a router? Don't most host operating systems ignore
an ICMP redirect for a host if they are not asking for a route anyway?
(I'm not sure I stated that very well...) In other words, ICMP redirect
is NOT a broadcast and so it would be ignored if it wasn't directed to
my specific MAC. Am I mistaken in that assumption?
--
********************************************************************
* Butch Evans * Professional Network Consultation*
* http://www.butchevans.com/ * Network Engineering *
* http://store.wispgear.net/ * Wired or Wireless Networks *
* http://blog.butchevans.com/ * ImageStream, Mikrotik and MORE! *
********************************************************************
