nanog mailing list archives
Re: Should routers send redirects by default?
From: Valdis.Kletnieks () vt edu
Date: Fri, 20 Aug 2010 17:54:32 -0400
On Fri, 20 Aug 2010 16:08:19 CDT, Butch Evans said:
Maybe I'm missing something. Can you point me to something that will help my understand WHY an ICMP redirect is such a huge security concern? For most of the networks that I manage (or help to manage), I can see no reason why this would be an issue.
In general, it's not a big deal, except that unlike a proper routing protocol where you can redirect a /16 or a /default at a time and withdraw it when needed, ICMP redirects tend to form host routes that have to individually be redirected back if the routing flips back to its original status. Until a PC or something on the network gets pwned, and issues selective forged ICMP redirects to declare itself a router and the appropriate destination for some traffic, which it can then MITM to its heart's content. *Then* you truly have a manure-on-fan situation.
Attachment:
_bin
Description:
Current thread:
- Should routers send redirects by default? Christopher Morrow (Aug 20)
- Re: Should routers send redirects by default? Jack Bates (Aug 20)
- Re: Should routers send redirects by default? Mikael Abrahamsson (Aug 20)
- Re: Should routers send redirects by default? Jack Bates (Aug 20)
- Re: Should routers send redirects by default? Christopher Morrow (Aug 20)
- Re: Should routers send redirects by default? Mikael Abrahamsson (Aug 20)
- Re: Should routers send redirects by default? Dobbins, Roland (Aug 20)
- Re: Should routers send redirects by default? Butch Evans (Aug 20)
- Re: Should routers send redirects by default? Jared Mauch (Aug 20)
- Re: Should routers send redirects by default? Butch Evans (Aug 20)
- Re: Should routers send redirects by default? Valdis . Kletnieks (Aug 20)
- Re: Should routers send redirects by default? Butch Evans (Aug 20)
- Re: Should routers send redirects by default? Brandon Ross (Aug 20)
- Re: Should routers send redirects by default? Jared Mauch (Aug 20)
- Re: Should routers send redirects by default? Brandon Ross (Aug 20)
- Re: Should routers send redirects by default? Jared Mauch (Aug 20)
- Re: Should routers send redirects by default? Jared Mauch (Aug 20)
- Re: Should routers send redirects by default? Valdis . Kletnieks (Aug 20)
- Re: Should routers send redirects by default? Eric J. Katanich (Aug 20)
- Re: Should routers send redirects by default? Jack Bates (Aug 20)
- Re: Should routers send redirects by default? Owen DeLong (Aug 20)
- Re: Should routers send redirects by default? Jared Mauch (Aug 20)
- Re: Should routers send redirects by default? James Hess (Aug 25)