See below Jared Mauch
On Aug 20, 2010, at 6:34 PM, Owen DeLong <o...@delong.com> wrote: > > On Aug 20, 2010, at 2:54 PM, valdis.kletni...@vt.edu wrote: > >> On Fri, 20 Aug 2010 16:08:19 CDT, Butch Evans said: >> >>> Maybe I'm missing something. Can you point me to something that will >>> help my understand WHY an ICMP redirect is such a huge security concern? >>> For most of the networks that I manage (or help to manage), I can see no >>> reason why this would be an issue. >> >> In general, it's not a big deal, except that unlike a proper routing protocol >> where you can redirect a /16 or a /default at a time and withdraw it when >> needed, ICMP redirects tend to form host routes that have to individually be >> redirected back if the routing flips back to its original status. >> >> Until a PC or something on the network gets pwned, and issues selective >> forged >> ICMP redirects to declare itself a router and the appropriate destination for >> some traffic, which it can then MITM to its heart's content. *Then* you truly >> have a manure-on-fan situation. > > This is worse than said PC issuing rogue RAs exactly how? > > Perhaps we should pressure switch vendors to add ICMP Redirect > protection to the RA Guard feature they haven't implemented yet? One of my points is that redirects are routing updates of a dynamic nature. If the hosts are intended to participate in the routing process perhaps they should speak a protocol that can be secured further vs something that can't. Please join the discussion on ipv6 at ietf. It's part of a router and host requirements document. > > Owen > >
