nanog mailing list archives
Re: Should routers send redirects by default?
From: Brandon Ross <bross () pobox com>
Date: Fri, 20 Aug 2010 21:34:15 -0400 (EDT)
On Fri, 20 Aug 2010, Ricky Beam wrote:
On Fri, 20 Aug 2010 20:08:34 -0400, Brandon Ross <bross () pobox com> wrote:Okay, I'll ask again. Exactly how does disabling ICMP redirects on my router prevent traffic from being intercepted?It stops *one vector* of MITM attack. If a router honors redirects (and it never should), an evil host can intercept traffic of hosts that aren't on the local network.
Are you saying that turning off the transmittal of ICMP redirects on most routers will simultaniously disable the honoring of ICMP redirects that that router receives?
If that's not what you are saying then you are wrong.
This is 5000% beyond the scope of the original question, btw.
I disagree. The decision about whether or not a feature should be on by default or not should be clear evidence that said feature is/could be harmful.
So far I have not heard a single compelling argument for how the _transmittal_ of ICMP redirects can cause any signficicant harm to a network other than what the other typical protocols that are enabled by defualt (ping, can't fragement, etc) cause. I will make the statement:
The transmittal of ICMP redirects by a router _cannot_ be exploited to create a man in the middle attack.
Before anyone responds to that statement, please read it very carefully. This statement does not comment on whether a host or router should be configured to _receive_ an ICMP redirect and act on it, that clearly can be used to create a MITM attack.
How many of you that routinely disable ICMP redirect on your routers also routinely disable the reception of ICMP redirects on your hosts? For those of you that do not, why not?
-- Brandon Ross AIM: BrandonNRoss ICQ: 2269442 Skype: brandonross Yahoo: BrandonNRoss
Current thread:
- Re: Should routers send redirects by default?, (continued)
- Re: Should routers send redirects by default? Eric J. Katanich (Aug 20)
- Re: Should routers send redirects by default? Jack Bates (Aug 21)
- Re: Should routers send redirects by default? Jared Mauch (Aug 21)
- Re: Should routers send redirects by default? Mark Smith (Aug 21)
- Re: Should routers send redirects by default? Mark Smith (Aug 21)
- Re: Should routers send redirects by default? Ricky Beam (Aug 23)
- Re: Should routers send redirects by default? David W. Hankins (Aug 24)
- Re: Should routers send redirects by default? Mark Smith (Aug 24)
- Re: Should routers send redirects by default? Christopher Morrow (Aug 21)
- Re: Should routers send redirects by default? Ricky Beam (Aug 20)
- Re: Should routers send redirects by default? Brandon Ross (Aug 20)
- Re: Should routers send redirects by default? Butch Evans (Aug 24)
- Re: Should routers send redirects by default? Ricky Beam (Aug 20)
- Re: Should routers send redirects by default? Mark Smith (Aug 20)
- Re: Should routers send redirects by default? David W. Hankins (Aug 24)