Re: Should routers send redirects by default?

[Owen DeLong <owen () delong com>]

On Aug 20, 2010, at 2:54 PM, Valdis.Kletnieks () vt edu wrote:

> On Fri, 20 Aug 2010 16:08:19 CDT, Butch Evans said:
>
> > Maybe I'm missing something.  Can you point me to something that will
> > help my understand WHY an ICMP redirect is such a huge security concern?
> > For most of the networks that I manage (or help to manage), I can see no
> > reason why this would be an issue.
>
> In general, it's not a big deal, except that unlike a proper routing protocol
> where you can redirect a /16 or a /default at a time and withdraw it when
> needed, ICMP redirects tend to form host routes that have to individually be
> redirected back if the routing flips back to its original status.
>
> Until a PC or something on the network gets pwned, and issues selective forged
> ICMP redirects to declare itself a router and the appropriate destination for
> some traffic, which it can then MITM to its heart's content. *Then* you truly
> have a manure-on-fan situation.

This is worse than said PC issuing rogue RAs exactly how?

Perhaps we should pressure switch vendors to add ICMP Redirect
protection to the RA Guard feature they haven't implemented yet?

Owen