nanog mailing list archives
Re: Should routers send redirects by default?
From: Butch Evans <butche () butchevans com>
Date: Tue, 24 Aug 2010 22:08:57 -0500
On Fri, 2010-08-20 at 21:34 -0400, Brandon Ross wrote:
So far I have not heard a single compelling argument for how the _transmittal_ of ICMP redirects can cause any signficicant harm to a network other than what the other typical protocols that are enabled by defualt (ping, can't fragement, etc) cause. I will make the statement:
I agree with you here, Brandon. I asked the question: "What is the real security hole?" because I cannot see any real risk here for MOST of the networks that I am involved in. I can see the possibility of MITM attacks with ICMP redirects, but that is not the case for (as you point out) a router that issues an ICMP redirect. Also, it is not my experience that most host OS have this disabled either. That being the case, it seems to me that eliminating the behavior of transmitting these redirects in a router are of little value in protecting against MITM attacks.
The transmittal of ICMP redirects by a router _cannot_ be exploited to create a man in the middle attack.
I'd have to agree with this. More because my limited research (which includes responses I've seen on this thread) seems to indicate that this is the case.
Before anyone responds to that statement, please read it very carefully. This statement does not comment on whether a host or router should be configured to _receive_ an ICMP redirect and act on it, that clearly can be used to create a MITM attack.
If a network has a single router, then wouldn't this also create a DOS situation under the right circumstances? I mean, if it can create MITM, it would HAVE to also create DOS possibilities. What is the distance of a route learned from an ICMP redirect? If it is greater than 0 (connected route) or 1 (static route) but less than the cost of other dynamically learned routes, then I can see the why this may be a problem for a router to respond to an ICMP redirect packet. -- ******************************************************************** * Butch Evans * Professional Network Consultation* * http://www.butchevans.com/ * Network Engineering * * http://store.wispgear.net/ * Wired or Wireless Networks * * http://blog.butchevans.com/ * ImageStream, Mikrotik and MORE! * ********************************************************************
Current thread:
- Re: Should routers send redirects by default?, (continued)
- Re: Should routers send redirects by default? Jack Bates (Aug 21)
- Re: Should routers send redirects by default? Jared Mauch (Aug 21)
- Re: Should routers send redirects by default? Mark Smith (Aug 21)
- Re: Should routers send redirects by default? Mark Smith (Aug 21)
- Re: Should routers send redirects by default? Ricky Beam (Aug 23)
- Re: Should routers send redirects by default? David W. Hankins (Aug 24)
- Re: Should routers send redirects by default? Mark Smith (Aug 24)
- Re: Should routers send redirects by default? Christopher Morrow (Aug 21)
- Re: Should routers send redirects by default? Ricky Beam (Aug 20)
- Re: Should routers send redirects by default? Brandon Ross (Aug 20)
- Re: Should routers send redirects by default? Butch Evans (Aug 24)
- Re: Should routers send redirects by default? Ricky Beam (Aug 20)
- Re: Should routers send redirects by default? Mark Smith (Aug 20)
- Re: Should routers send redirects by default? David W. Hankins (Aug 24)
- Re: Should routers send redirects by default? Christopher Morrow (Aug 24)