[128945] in North American Network Operators' Group
Re: Should routers send redirects by default?
daemon@ATHENA.MIT.EDU (Ricky Beam)
Fri Aug 20 19:49:55 2010
To: "Christopher Morrow" <christopher.morrow@gmail.com>, "nanog list"
<nanog@nanog.org>
Date: Fri, 20 Aug 2010 19:49:43 -0400
From: "Ricky Beam" <jfbeam@gmail.com>
In-Reply-To: <AANLkTimbJ4g7DigSBeToJR33NPF4CYrHzAgamTwPQd=k@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Fri, 20 Aug 2010 13:20:58 -0400, Christopher Morrow
<christopher.morrow@gmail.com> wrote:
> Polling a little bit here, there's an active discussion going on
> 6man@ietf about whether or not v6 routers should:
> o be required to implement ip redirect functions (icmpv6 redirect)
> o be sending these by default
...
> In ipv4 there's a relatively widely used practice of disabling ip
> redirects.
I think it's almost universally disabled (by default) everywhere in IPv4
purely for security (traffic interception.) In a perfectly run network,
redirects should never be necessary, so I'd think IPv6 should avoid going
down that road again. (support OPTIONAL, never enabled by default.) [It's
another insecure mistake IPv6 doesn't need to repeat.]
As I recall from long long ago, Cisco IOS would deal with traffic
differently depending on redirects... with redirects enabled, a redirect
was sent and the packet dropped; with redirects disabled, the router
hairpined the packets. I honestly don't know what today's versions do
because I've never checked -- A can ping B, I move on. I turn redirects
off on *outside* interfaces. Inside (trustable) interfaces vary -- I
don't go out of my way to disable them.
--Ricky
