Re: Should routers send redirects by default?

[Christopher Morrow <morrowc.lists () gmail com>]

I appreciate the discussion.. Eric, are you reflecting messages back
to the list without additional content for a reason?

list-admin folks, could we ping eric and see what's busted?

On Fri, Aug 20, 2010 at 9:08 PM, Eric J. Katanich <ekat () onyxlight net> wrote:
> On 08/21/2010 02:08 AM, Brandon Ross wrote:
> > On Fri, 20 Aug 2010, Ricky Beam wrote:
> >
> > > I think it's almost universally disabled (by default) everywhere in
> > > IPv4 purely for security (traffic interception.)
> >
> > Okay, I'll ask again.  Exactly how does disabling ICMP redirects on my
> > router prevent traffic from being intercepted?
> As was mentioned in an other part of the thread.
>
> You disable it on the host and if no host is using it, you might as well
> disable it on the router as wel. Others mentioned
> some routers need to handle this in software instead of hardware, which
> is obviously slower.
>
> It might also help you notice you have a roque host when you are looking
> at your network-traffic and if you know your
> network doesn't have any ICMP-redirects normally.
>
> disabling on the host:
> OpenBSD:
> echo net.inet.icmp.rediraccept=0 >> /etc/sysctl.conf
> echo net.inet6.icmp6.rediraccept=0 >> /etc/sysctl.conf
> sysctl net.inet.icmp.rediraccept=0
> sysctl net.inet6.icmp6.rediraccept=0
>
> FreeBSD:
> echo net.inet.icmp.drop_redirect=0 >> /etc/sysctl.conf
> echo net.inet6.icmp6.rediraccept=0 >> /etc/sysctl.conf
> sysctl net.inet.icmp.drop_redirect=0
> sysctl net.inet6.icmp6.rediraccept=0
>
> Linux:
> echo net.ipv4.conf.all.accept_redirects = 0 >> /etc/sysctl.conf
> echo net.ipv4.conf.all.send_redirects = 0 >> /etc/sysctl.conf
> sysctl -p /etc/sysctl.conf