[128955] in North American Network Operators' Group
Re: Should routers send redirects by default?
daemon@ATHENA.MIT.EDU (Ricky Beam)
Fri Aug 20 21:24:51 2010
To: "Mark Smith" <nanog@85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org>
Date: Fri, 20 Aug 2010 21:24:43 -0400
From: "Ricky Beam" <jfbeam@gmail.com>
In-Reply-To: <20100821101339.7e5d8e62@opy.nosense.org>
Cc: Christopher Morrow <christopher.morrow@gmail.com>,
nanog list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Fri, 20 Aug 2010 20:43:39 -0400, Mark Smith
<nanog@85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org> wrote:
> You're assuming the cost of always hair pinning traffic on an interface
> is cheaper than issuing a redirect.
I am saying no such thing. (a single redirect packet is always more
efficient.) I *am* saying ICMP redirects are a mistake that should not be
replicated in IPv6. They are too easy to abuse, which is why they are
almost universally ignored by IPv4 hosts.
In a *properly* configured network, redirects should not be necessary.
(everything on the local LAN should know what's on the local LAN.) [For
the record, my own networks don't follow that rule. :-) Coworkers throwing
random crap on the wire doesn't help. *sigh* Don't go there.]
IPv6 has more than enough mistakes glued into it. Redirects are a mess
that does not need to be there. For the purests who insist on making ugly
networks that are trival to subvert, make ICMPv6 redirects *OPTIONAL*,
*REQUIRING* explicit configuration to enable. Without strong
authentication/authorization mechanisms, it'll be the same mess that it is
in IPv4.
--Ricky
