[128944] in North American Network Operators' Group
Re: Should routers send redirects by default?
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Fri Aug 20 19:32:16 2010
To: Brandon Ross <bross@pobox.com>
In-Reply-To: Your message of "Fri, 20 Aug 2010 18:16:35 EDT."
<Pine.OSX.4.64.1008201814110.325@host-130-128-1-44.enet.interop.net>
From: Valdis.Kletnieks@vt.edu
Date: Fri, 20 Aug 2010 19:31:38 -0400
Cc: nanog list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--==_Exmh_1282347098_5424P
Content-Type: text/plain; charset=us-ascii
On Fri, 20 Aug 2010 18:16:35 EDT, Brandon Ross said:
> How does turning off ICMP redirects on the router prevent a rouge PC from
> sending ICMP redirects to it's neighbors?
If I know for a fact that the network is designed such that I will never ever
receive a valid ICMP redirect because there is exactly one route off the
network, I can safely turn off "accept ICMP redirects" and be done with it.
If I have to allow ICMP in, it becomes a much more interesting iptables/whatever
issue.
On Fri, 20 Aug 2010 15:34:17 PDT, Owen DeLong said:
> This is worse than said PC issuing rogue RAs exactly how?
It's the exact same problem, actually.
> Perhaps we should pressure switch vendors to add ICMP Redirect
> protection to the RA Guard feature they haven't implemented yet?
You mean you aren't already? ;)
--==_Exmh_1282347098_5424P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFMbxBacC3lWbTT17ARAiu8AKDGJte+GPITHbVzLWoi1OscUSC8ygCgvCAU
NiAOwq8B0BqQpuD0/loaOY8=
=qPtn
-----END PGP SIGNATURE-----
--==_Exmh_1282347098_5424P--
