Re: Should routers send redirects by default?

[Butch Evans <butche () butchevans com>]

On Fri, 2010-08-20 at 16:03 -0400, Jared Mauch wrote: 
> One of the challenges is that some vendors have a poor track-record of
> documenting these defaults.  this means unless you frequently sample
> your network traffic, you may not see your device sending decnet mop
> messages, or ipv6 redirects :)

I agree.  

> Personally (and as the instigator in the ipv6/6man discussion) if the
> vendors could be trusted to expose their default settings in their
> configs, i would find a default of ON to be more acceptable.

The reason it doesn't matter to me WHICH one it is (on OR off) is
because if/when a need arises to have ICMP redirect to be working (this
is the exception and NOT the norm), it is easy to see why things do not
work as expected.  If my preferred gear is a Linux box (and it is,
usually), and for some reason I need this to work, I simply run a
tcpdump to capture the packets and I see that the redirect (which would
be expected) is missing, then I can easily fix the problem by enabling
that feature.  Same is true for the reverse.

> If people want to hang themselves
> that's their problem, but at least they won't come with a hidden noose 
> around their neck.

Maybe I'm missing something.  Can you point me to something that will
help my understand WHY an ICMP redirect is such a huge security concern?
For most of the networks that I manage (or help to manage), I can see no
reason why this would be an issue.

-- 
********************************************************************
* Butch Evans                   * Professional Network Consultation*
* http://www.butchevans.com/    * Network Engineering              *
* http://store.wispgear.net/    * Wired or Wireless Networks       *
* http://blog.butchevans.com/   * ImageStream, Mikrotik and MORE!  *
********************************************************************