[128964] in North American Network Operators' Group
Re: Should routers send redirects by default?
daemon@ATHENA.MIT.EDU (Christopher Morrow)
Sat Aug 21 11:19:47 2010
In-Reply-To: <3887672486120547ACEB7B3ACA6E46EC1B40E46E@exchange>
Date: Sat, 21 Aug 2010 11:19:30 -0400
From: Christopher Morrow <morrowc.lists@gmail.com>
To: "Eric J. Katanich" <ekat@onyxlight.net>, NANOG Admins <admins@nanog.org>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
I appreciate the discussion.. Eric, are you reflecting messages back
to the list without additional content for a reason?
list-admin folks, could we ping eric and see what's busted?
On Fri, Aug 20, 2010 at 9:08 PM, Eric J. Katanich <ekat@onyxlight.net> wrot=
e:
> On 08/21/2010 02:08 AM, Brandon Ross wrote:
>> On Fri, 20 Aug 2010, Ricky Beam wrote:
>>
>>> I think it's almost universally disabled (by default) everywhere in
>>> IPv4 purely for security (traffic interception.)
>>
>> Okay, I'll ask again. =A0Exactly how does disabling ICMP redirects on my
>> router prevent traffic from being intercepted?
>>
> As was mentioned in an other part of the thread.
>
> You disable it on the host and if no host is using it, you might as well
> disable it on the router as wel. Others mentioned
> some routers need to handle this in software instead of hardware, which
> is obviously slower.
>
> It might also help you notice you have a roque host when you are looking
> at your network-traffic and if you know your
> network doesn't have any ICMP-redirects normally.
>
> disabling on the host:
> OpenBSD:
> echo net.inet.icmp.rediraccept=3D0 >> /etc/sysctl.conf
> echo net.inet6.icmp6.rediraccept=3D0 >> /etc/sysctl.conf
> sysctl net.inet.icmp.rediraccept=3D0
> sysctl net.inet6.icmp6.rediraccept=3D0
>
> FreeBSD:
> echo net.inet.icmp.drop_redirect=3D0 >> /etc/sysctl.conf
> echo net.inet6.icmp6.rediraccept=3D0 >> /etc/sysctl.conf
> sysctl net.inet.icmp.drop_redirect=3D0
> sysctl net.inet6.icmp6.rediraccept=3D0
>
> Linux:
> echo net.ipv4.conf.all.accept_redirects =3D 0 >> /etc/sysctl.conf
> echo net.ipv4.conf.all.send_redirects =3D 0 >> /etc/sysctl.conf
> sysctl -p /etc/sysctl.conf
>
>
>
>
