Bugtraq mailing list archives
ICMP unreachables (was: Watcher page moved...)
From: fitz () wang com (Tom Fitzgerald)
Date: Sun, 2 Apr 95 4:30:24 EDT
4) Should routers discard received redirects that aren't addressed to the router?
Routers should always ignore Redirects. A router using a routing protocol (other than static routes) MUST NOT consider paths learned from ICMP Redirects when forwarding a packet.
Yes, but this applies only to redirects which ARE addressed to the router. I was hoping for a way that a router could recognize a bogus redirect being sent through it to another host, and discard it, like it would discard source-routed traffic, or traffic with a spoofed source address. Just as one example, Cisco routers can be configured to discard all ICMPs, but can't be configured to filter some types of ICMP but not others. It might work to filter out all ICMPs with a source address of the router itself, since apparently filters aren't applied to packets that originate on the router. If the host ignores redirects that don't come from the current gateway (which it's supposed to do), then there shouldn't be any way to get a bogus redirect to it. If the host isn't careful about the source of redirects, then I don't think either Cisco or Netblazer access lists are enough to prevent spoofed redirects, without also disabling things like port-unreachables and ping, which are really too valuable to lose. Other routers may be more flexible. -- Tom Fitzgerald 1-508-967-5278 Wang Labs, Lowell MA, USA fitz () wang com
Current thread:
- ICMP unreachables (was: Watcher page moved...) Tom Fitzgerald (Apr 02)
- ICMP unreachables (was: Watcher page moved...) Andrew T. Robinson (Apr 03)