On Fri, Aug 20, 2010 at 4:10 PM, Owen DeLong <o...@delong.com> wrote: > Redirects in IPv6 are no worse nor better an idea than unauthenticated RAs > for default routers with nearly identical security implications.
this answered a different question... wanna try answering the question I posed originally? :) -chris > Owen > > > Sent from my iPad > > On Aug 20, 2010, at 10:20 AM, Christopher Morrow > <christopher.mor...@gmail.com> wrote: > >> Polling a little bit here, there's an active discussion going on >> 6...@ietf about whether or not v6 routers should: >> o be required to implement ip redirect functions (icmpv6 redirect) >> o be sending these by default >> >> Essentially 12+ years ago in RFC2461 >> (http://www.ietf.org/rfc/rfc2461.txt) and later in RFC4861 >> (http://tools.ietf.org/html/rfc4861) there are a set of message types >> defined and use cases discussed which seem to lead to the idea that: >> routers should be reqiured to implement redirect logic/functionality >> routers should by default be enabled to send these redirect messages. >> >> In ipv4 there's a relatively widely used practice of disabling ip >> redirects. secure router and secure host templates disable this >> functionality, and have for quite some time. There are a host of >> reasons for this I don't really want to debate them though :) It would >> be instructive to get a sense of how many folks do NOT disable this >> sort of thing, or how many folks RELY on these functions working in >> their network build today. >> >> For the 6man discussion though, I presume that in ipv4 we take a set >> of configs/actions because of somewhat sane reasons, I suspect we >> would want to have the same config/end-state in v6? One proposal is to >> do this with: >> o routers are required to be able to send redirect messages >> o routers should NOT do this by default >> >> With the proviso that some consenting adults may choose to enable by >> default on certain platforms (cabl/dsl CPE, enterprise-LAN)... if that >> muddies the waters it'd be nice to just hear about the proposal there >> and leave the hinkiness of the rest out of the picture :) I hope that >> folks who currently run v6 network(s) might respond, there are quite a >> few v6 operators here... I'm looking at you owen/jjb/au-dsl-folk... :) >> >> thanks for your time, of couse if you want to chat more directly about >> this the 6man list is open and at: >> <http://www.ietf.org/mail-archive/web/ipv6/current/maillist.html> >> >> -Chris >
