[128939] in North American Network Operators' Group
Re: Should routers send redirects by default?
daemon@ATHENA.MIT.EDU (Jared Mauch)
Fri Aug 20 18:32:59 2010
In-Reply-To: <Pine.OSX.4.64.1008201814110.325@host-130-128-1-44.enet.interop.net>
From: Jared Mauch <jared@puck.nether.net>
Date: Fri, 20 Aug 2010 18:29:07 -0400
To: Brandon Ross <bross@pobox.com>
Cc: nanog list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
See below
Jared Mauch
On Aug 20, 2010, at 6:16 PM, Brandon Ross <bross@pobox.com> wrote:
> On Fri, 20 Aug 2010, Valdis.Kletnieks@vt.edu wrote:
>=20
>> Until a PC or something on the network gets pwned, and issues selective f=
orged
>> ICMP redirects to declare itself a router and the appropriate destination=
for
>> some traffic, which it can then MITM to its heart's content. *Then* you t=
ruly
>> have a manure-on-fan situation.
>=20
> I believe the question was along the lines of, "why do I turn this off on m=
y router?"
>=20
> How does turning off ICMP redirects on the router prevent a rouge PC from s=
ending ICMP redirects to it's neighbors?
>=20
> I'm in the same boat here. I know there's a lot of conventional wisdom th=
at says to turn it off, but I'm yet to hear a convincing argument as to why I=
should bother. Now configuring your hosts to ignore them, that I could und=
erstand.
The issue is routers typically do this in software requiring a punt and CPU t=
heft from bgp, ospf etc.=20
>=20
> --=20
> Brandon Ross AIM: BrandonNRo=
ss
> ICQ: 226944=
2
> Skype: brandonross Yahoo: BrandonNRos=
s
