[128943] in North American Network Operators' Group
Re: Should routers send redirects by default?
daemon@ATHENA.MIT.EDU (Jared Mauch)
Fri Aug 20 19:21:11 2010
In-Reply-To: <4DB601C2-426D-4FAA-B837-750EECC3D85E@delong.com>
From: Jared Mauch <jared@puck.nether.net>
Date: Fri, 20 Aug 2010 19:21:14 -0400
To: Owen DeLong <owen@delong.com>
Cc: nanog list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
See below
Jared Mauch
On Aug 20, 2010, at 6:34 PM, Owen DeLong <owen@delong.com> wrote:
>=20
> On Aug 20, 2010, at 2:54 PM, Valdis.Kletnieks@vt.edu wrote:
>=20
>> On Fri, 20 Aug 2010 16:08:19 CDT, Butch Evans said:
>>=20
>>> Maybe I'm missing something. Can you point me to something that will
>>> help my understand WHY an ICMP redirect is such a huge security concern?=
>>> For most of the networks that I manage (or help to manage), I can see no=
>>> reason why this would be an issue.
>>=20
>> In general, it's not a big deal, except that unlike a proper routing prot=
ocol
>> where you can redirect a /16 or a /default at a time and withdraw it when=
>> needed, ICMP redirects tend to form host routes that have to individually=
be
>> redirected back if the routing flips back to its original status.
>>=20
>> Until a PC or something on the network gets pwned, and issues selective f=
orged
>> ICMP redirects to declare itself a router and the appropriate destination=
for
>> some traffic, which it can then MITM to its heart's content. *Then* you t=
ruly
>> have a manure-on-fan situation.
>=20
> This is worse than said PC issuing rogue RAs exactly how?
>=20
> Perhaps we should pressure switch vendors to add ICMP Redirect
> protection to the RA Guard feature they haven't implemented yet?
One of my points is that redirects are routing updates of a dynamic nature. I=
f the hosts are intended to participate in the routing process perhaps they s=
hould speak a protocol that can be secured further vs something that can't.=20=
Please join the discussion on ipv6 at ietf. It's part of a router and host r=
equirements document.=20
>=20
> Owen
>=20
>=20
