On Fri, 20 Aug 2010 18:16:35 EDT, Brandon Ross said: > How does turning off ICMP redirects on the router prevent a rouge PC from > sending ICMP redirects to it's neighbors?
If I know for a fact that the network is designed such that I will never ever receive a valid ICMP redirect because there is exactly one route off the network, I can safely turn off "accept ICMP redirects" and be done with it. If I have to allow ICMP in, it becomes a much more interesting iptables/whatever issue. On Fri, 20 Aug 2010 15:34:17 PDT, Owen DeLong said: > This is worse than said PC issuing rogue RAs exactly how? It's the exact same problem, actually. > Perhaps we should pressure switch vendors to add ICMP Redirect > protection to the RA Guard feature they haven't implemented yet? You mean you aren't already? ;)
