nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Should routers send redirects by default?

From: Jared Mauch <jared () puck nether net>
Date: Fri, 20 Aug 2010 18:29:07 -0400
See below

Jared Mauch

On Aug 20, 2010, at 6:16 PM, Brandon Ross <bross () pobox com> wrote:


On Fri, 20 Aug 2010, Valdis.Kletnieks () vt edu wrote:


Until a PC or something on the network gets pwned, and issues selective forged
ICMP redirects to declare itself a router and the appropriate destination for
some traffic, which it can then MITM to its heart's content. *Then* you truly
have a manure-on-fan situation.


I believe the question was along the lines of, "why do I turn this off on my router?"

How does turning off ICMP redirects on the router prevent a rouge PC from sending ICMP redirects to it's neighbors?

I'm in the same boat here.  I know there's a lot of conventional wisdom that says to turn it off, but I'm yet to hear 
a convincing argument as to why I should bother.  Now configuring your hosts to ignore them, that I could understand.



The issue is routers typically do this in software requiring a punt and CPU theft from bgp, ospf etc. 


-- 
Brandon Ross                                              AIM:  BrandonNRoss
                                                              ICQ:  2269442
                                  Skype:  brandonross  Yahoo:  BrandonNRoss
Previous By Date Next
Previous By Thread Next

Current thread: