[128948] in North American Network Operators' Group
Re: Should routers send redirects by default?
daemon@ATHENA.MIT.EDU (Leen Besselink)
Fri Aug 20 21:01:27 2010
Date: Sat, 21 Aug 2010 03:01:16 +0200
From: Leen Besselink <leen@consolejunkie.net>
To: nanog@nanog.org
In-Reply-To: <Pine.OSX.4.64.1008202007500.325@host-130-128-1-44.enet.interop.net>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 08/21/2010 02:08 AM, Brandon Ross wrote:
> On Fri, 20 Aug 2010, Ricky Beam wrote:
>
>> I think it's almost universally disabled (by default) everywhere in
>> IPv4 purely for security (traffic interception.)
>
> Okay, I'll ask again. Exactly how does disabling ICMP redirects on my
> router prevent traffic from being intercepted?
>
As was mentioned in an other part of the thread.
You disable it on the host and if no host is using it, you might as well
disable it on the router as wel. Others mentioned
some routers need to handle this in software instead of hardware, which
is obviously slower.
It might also help you notice you have a roque host when you are looking
at your network-traffic and if you know your
network doesn't have any ICMP-redirects normally.
disabling on the host:
OpenBSD:
echo net.inet.icmp.rediraccept=0 >> /etc/sysctl.conf
echo net.inet6.icmp6.rediraccept=0 >> /etc/sysctl.conf
sysctl net.inet.icmp.rediraccept=0
sysctl net.inet6.icmp6.rediraccept=0
FreeBSD:
echo net.inet.icmp.drop_redirect=0 >> /etc/sysctl.conf
echo net.inet6.icmp6.rediraccept=0 >> /etc/sysctl.conf
sysctl net.inet.icmp.drop_redirect=0
sysctl net.inet6.icmp6.rediraccept=0
Linux:
echo net.ipv4.conf.all.accept_redirects = 0 >> /etc/sysctl.conf
echo net.ipv4.conf.all.send_redirects = 0 >> /etc/sysctl.conf
sysctl -p /etc/sysctl.conf
