nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Should routers send redirects by default?

From: Valdis.Kletnieks () vt edu
Date: Fri, 20 Aug 2010 17:54:32 -0400
On Fri, 20 Aug 2010 16:08:19 CDT, Butch Evans said:


Maybe I'm missing something.  Can you point me to something that will
help my understand WHY an ICMP redirect is such a huge security concern?
For most of the networks that I manage (or help to manage), I can see no
reason why this would be an issue.


In general, it's not a big deal, except that unlike a proper routing protocol
where you can redirect a /16 or a /default at a time and withdraw it when
needed, ICMP redirects tend to form host routes that have to individually be
redirected back if the routing flips back to its original status.

Until a PC or something on the network gets pwned, and issues selective forged
ICMP redirects to declare itself a router and the appropriate destination for
some traffic, which it can then MITM to its heart's content. *Then* you truly
have a manure-on-fan situation.

Attachment: _bin
Description:

Previous By Date Next
Previous By Thread Next

Current thread: