On Fri, 20 Aug 2010 13:20:58 -0400, Christopher Morrow
<christopher.mor...@gmail.com> wrote:
Polling a little bit here, there's an active discussion going on
6...@ietf about whether or not v6 routers should:
o be required to implement ip redirect functions (icmpv6 redirect)
o be sending these by default
...
In ipv4 there's a relatively widely used practice of disabling ip
redirects.
I think it's almost universally disabled (by default) everywhere in IPv4
purely for security (traffic interception.) In a perfectly run network,
redirects should never be necessary, so I'd think IPv6 should avoid going
down that road again. (support OPTIONAL, never enabled by default.) [It's
another insecure mistake IPv6 doesn't need to repeat.]
As I recall from long long ago, Cisco IOS would deal with traffic
differently depending on redirects... with redirects enabled, a redirect
was sent and the packet dropped; with redirects disabled, the router
hairpined the packets. I honestly don't know what today's versions do
because I've never checked -- A can ping B, I move on. I turn redirects
off on *outside* interfaces. Inside (trustable) interfaces vary -- I
don't go out of my way to disable them.
--Ricky
