2010/8/20 Jared Mauch
>
> Personally (and as the instigator in the ipv6/6man discussion) if the
> vendors could be trusted to expose their default settings in their
> configs, i would find a default of ON to be more acceptable. As their
> track-record is poor, and the harm has been realized in t
On Fri, 20 Aug 2010 21:24:43 -0400
"Ricky Beam" wrote:
> On Fri, 20 Aug 2010 20:43:39 -0400, Mark Smith
> wrote:
> > You're assuming the cost of always hair pinning traffic on an interface
> > is cheaper than issuing a redirect.
>
> I am saying no such thing. (a single redirect packet is alwa
On Fri, 20 Aug 2010, Ricky Beam wrote:
On Fri, 20 Aug 2010 20:08:34 -0400, Brandon Ross wrote:
Okay, I'll ask again. Exactly how does disabling ICMP redirects on my
router prevent traffic from being intercepted?
It stops *one vector* of MITM attack. If a router honors redirects (and it
ne
On Fri, 20 Aug 2010 20:43:39 -0400, Mark Smith
wrote:
You're assuming the cost of always hair pinning traffic on an interface
is cheaper than issuing a redirect.
I am saying no such thing. (a single redirect packet is always more
efficient.) I *am* saying ICMP redirects are a mistake that
On Fri, 20 Aug 2010 20:08:34 -0400, Brandon Ross wrote:
Okay, I'll ask again. Exactly how does disabling ICMP redirects on my
router prevent traffic from being intercepted?
It stops *one vector* of MITM attack. If a router honors redirects (and
it never should), an evil host can intercept
On 08/21/2010 02:08 AM, Brandon Ross wrote:
> On Fri, 20 Aug 2010, Ricky Beam wrote:
>
>> I think it's almost universally disabled (by default) everywhere in
>> IPv4 purely for security (traffic interception.)
>
> Okay, I'll ask again. Exactly how does disabling ICMP redirects on my
> router pre
On Fri, 20 Aug 2010 13:20:58 -0400, Christopher Morrow
wrote:
> Polling a little bit here, there's an active discussion going on
> 6...@ietf about whether or not v6 routers should:
> o be required to implement ip redirect functions (icmpv6 redirect)
> o be sending these by default
...
> In i
On Fri, 20 Aug 2010, Ricky Beam wrote:
> I think it's almost universally disabled (by default) everywhere in IPv4
> purely for security (traffic interception.)
Okay, I'll ask again. Exactly how does disabling ICMP redirects on my
router prevent traffic from being intercepted?
--
Brandon Ross
On Fri, 20 Aug 2010 18:16:35 EDT, Brandon Ross said:
> How does turning off ICMP redirects on the router prevent a rouge PC from
> sending ICMP redirects to it's neighbors?
If I know for a fact that the network is designed such that I will never ever
receive a valid ICMP redirect because there i
On Fri, 20 Aug 2010 19:49:43 -0400
"Ricky Beam" wrote:
> On Fri, 20 Aug 2010 13:20:58 -0400, Christopher Morrow
> wrote:
> > Polling a little bit here, there's an active discussion going on
> > 6...@ietf about whether or not v6 routers should:
> > o be required to implement ip redirect funct
On 08/21/2010 02:08 AM, Brandon Ross wrote:
On Fri, 20 Aug 2010, Ricky Beam wrote:
I think it's almost universally disabled (by default) everywhere in
IPv4 purely for security (traffic interception.)
Okay, I'll ask again. Exactly how does disabling ICMP redirects on my
router prevent traffi
On Fri, 20 Aug 2010 19:49:43 -0400
"Ricky Beam" wrote:
> On Fri, 20 Aug 2010 13:20:58 -0400, Christopher Morrow
> wrote:
> > Polling a little bit here, there's an active discussion going on
> > 6...@ietf about whether or not v6 routers should:
> > o be required to implement ip redirect funct
On Fri, 20 Aug 2010, Ricky Beam wrote:
I think it's almost universally disabled (by default) everywhere in IPv4
purely for security (traffic interception.)
Okay, I'll ask again. Exactly how does disabling ICMP redirects on my
router prevent traffic from being intercepted?
--
Brandon Ross
On Fri, 20 Aug 2010 13:20:58 -0400, Christopher Morrow
wrote:
Polling a little bit here, there's an active discussion going on
6...@ietf about whether or not v6 routers should:
o be required to implement ip redirect functions (icmpv6 redirect)
o be sending these by default
...
In ipv4 the
On Fri, 20 Aug 2010 18:16:35 EDT, Brandon Ross said:
> How does turning off ICMP redirects on the router prevent a rouge PC from
> sending ICMP redirects to it's neighbors?
If I know for a fact that the network is designed such that I will never ever
receive a valid ICMP redirect because there i
See below
Jared Mauch
On Aug 20, 2010, at 6:34 PM, Owen DeLong wrote:
>
> On Aug 20, 2010, at 2:54 PM, valdis.kletni...@vt.edu wrote:
>
>> On Fri, 20 Aug 2010 16:08:19 CDT, Butch Evans said:
>>
>>> Maybe I'm missing something. Can you point me to something that will
>>> help my understand W
Yea the stuff that sometimes is done in hw and sometimes in sw and causes
varying pain. You may find the discussion interesting to read if you feel
redirects are "ok" or tolerable.
If vendors can't expose their defaults they really should not be enabling these
things as it causes trouble.
I'
On Fri, 20 Aug 2010, Jared Mauch wrote:
The issue is routers typically do this in software requiring a punt and
CPU theft from bgp, ospf etc.
You mean like ICMP echo, ICMP can't fragment, ICMP unreachable...?
--
Brandon Ross AIM: BrandonNRoss
On Aug 20, 2010, at 2:54 PM, valdis.kletni...@vt.edu wrote:
> On Fri, 20 Aug 2010 16:08:19 CDT, Butch Evans said:
>
>> Maybe I'm missing something. Can you point me to something that will
>> help my understand WHY an ICMP redirect is such a huge security concern?
>> For most of the networks tha
See below
Jared Mauch
On Aug 20, 2010, at 6:16 PM, Brandon Ross wrote:
> On Fri, 20 Aug 2010, valdis.kletni...@vt.edu wrote:
>
>> Until a PC or something on the network gets pwned, and issues selective
>> forged
>> ICMP redirects to declare itself a router and the appropriate destination for
On Fri, 20 Aug 2010, valdis.kletni...@vt.edu wrote:
Until a PC or something on the network gets pwned, and issues selective forged
ICMP redirects to declare itself a router and the appropriate destination for
some traffic, which it can then MITM to its heart's content. *Then* you truly
have a ma
What puzzles me, is that my linux machine on same network has no issues...
- Original Message -
From: "Jeroen Massar"
To: "Franck Martin"
Cc: nanog@nanog.org
Sent: Saturday, 21 August, 2010 9:34:23 AM
Subject: Re: IPv6 PMTUD and OS-X
On 2010-08-20 23:27, Franck Martin wrote:
> I'm tryin
On Fri, 2010-08-20 at 17:54 -0400, valdis.kletni...@vt.edu wrote:
> Until a PC or something on the network gets pwned, and issues selective forged
> ICMP redirects to declare itself a router and the appropriate destination for
> some traffic, which it can then MITM to its heart's content. *Then* y
This report has been generated at Fri Aug 20 21:12:23 2010 AEST.
The report analyses the BGP Routing Table of AS2.0 router
and generates a report on aggregation potential within the table.
Check http://www.cidr-report.org for a current version of this report.
Recent Table History
Date
BGP Update Report
Interval: 12-Aug-10 -to- 19-Aug-10 (7 days)
Observation Point: BGP Peering with AS131072
TOP 20 Unstable Origin AS
Rank ASNUpds % Upds/PfxAS-Name
1 - AS330326875 2.2% 144.5 -- SWISSCOM Swisscom (Switzerland)
Ltd
2 - AS34642
On Fri, 20 Aug 2010 16:08:19 CDT, Butch Evans said:
> Maybe I'm missing something. Can you point me to something that will
> help my understand WHY an ICMP redirect is such a huge security concern?
> For most of the networks that I manage (or help to manage), I can see no
> reason why this would
On 2010-08-20 23:27, Franck Martin wrote:
> I'm trying to debug a pesky PMTUD issue with IPv6 on Mac OS-X 10.6.
>
> It happens only from home, on wireless, when connected to a mac aiport
> that does an automatic tunnel (teredo) to IPv6 backbone.
Welcome to the great world of Teredo/6to4 where th
I'm trying to debug a pesky PMTUD issue with IPv6 on Mac OS-X 10.6.
It happens only from home, on wireless, when connected to a mac aiport that
does an automatic tunnel (teredo) to IPv6 backbone. There are IPv6 web site
that I cannot browse until I lower the MTU to 1400. My Linux desktop in sim
On Fri, Aug 20, 2010 at 1:40 PM, Mikael Abrahamsson wrote:
> On Fri, 20 Aug 2010, Jack Bates wrote:
>
>> Why should the ietf dictate a default on this?
>
> Because that's what the IETF does, sets a SHOULD on "best common practice"
> after discussion in the community.
>
>> Requiring implementation
On Fri, Aug 20, 2010 at 4:03 PM, Jared Mauch wrote:
>
> On Aug 20, 2010, at 3:56 PM, Butch Evans wrote:
>
>> On Fri, 2010-08-20 at 13:20 -0400, Christopher Morrow wrote:
>>> Polling a little bit here, there's an active discussion going on
>>> 6...@ietf about whether or not v6 routers should:
>>>
On Fri, 2010-08-20 at 16:03 -0400, Jared Mauch wrote:
> One of the challenges is that some vendors have a poor track-record of
> documenting these defaults. this means unless you frequently sample
> your network traffic, you may not see your device sending decnet mop
> messages, or ipv6 redirects
On Fri, Aug 20, 2010 at 4:10 PM, Owen DeLong wrote:
> Redirects in IPv6 are no worse nor better an idea than unauthenticated RAs
> for default routers with nearly identical security implications.
this answered a different question... wanna try answering the question
I posed originally? :)
-chris
Redirects in IPv6 are no worse nor better an idea than unauthenticated RAs for
default routers with nearly identical security implications.
Owen
Sent from my iPad
On Aug 20, 2010, at 10:20 AM, Christopher Morrow
wrote:
> Polling a little bit here, there's an active discussion going on
> 6..
On Aug 20, 2010, at 3:56 PM, Butch Evans wrote:
> On Fri, 2010-08-20 at 13:20 -0400, Christopher Morrow wrote:
>> Polling a little bit here, there's an active discussion going on
>> 6...@ietf about whether or not v6 routers should:
>> o be required to implement ip redirect functions (icmpv6 red
On Fri, 2010-08-20 at 13:20 -0400, Christopher Morrow wrote:
> Polling a little bit here, there's an active discussion going on
> 6...@ietf about whether or not v6 routers should:
> o be required to implement ip redirect functions (icmpv6 redirect)
> o be sending these by default
I do not cur
This is an automated weekly mailing describing the state of the Internet
Routing Table as seen from APNIC's router in Japan.
The posting is sent to APOPS, NANOG, AfNOG, AusNOG, SANOG, PacNOG, LacNOG,
CaribNOG and the RIPE Routing Working Group.
Daily listings are sent to bgp-st...@lists.apnic.net
On Aug 21, 2010, at 12:20 AM, Christopher Morrow wrote:
> o routers are required to be able to send redirect messages
> o routers should NOT do this by default
I concur with this position from an opsec standpoint; at the same time, I don't
know that *mandating* a default configuration setting
Mikael Abrahamsson wrote:
As I stated in the 6man discussion, I prefer routers to by default not
send redirects. We do that in our configuration template.
I often turn them off, but I'm not sure why. If they aren't needed,
generally they won't be issued anyways (p2p links, router only segmen
On Fri, 20 Aug 2010, Jack Bates wrote:
Why should the ietf dictate a default on this?
Because that's what the IETF does, sets a SHOULD on "best common
practice" after discussion in the community.
Requiring implementation I could understand, but setting the default?
Should the ietf also spe
Why should the ietf dictate a default on this? Requiring implementation
I could understand, but setting the default? Should the ietf also
specify requirement of allowing configuration change of a default?
Honestly, redirects are not near the problem as icmp unreachables.
Jack
Christopher Mor
Polling a little bit here, there's an active discussion going on
6...@ietf about whether or not v6 routers should:
o be required to implement ip redirect functions (icmpv6 redirect)
o be sending these by default
Essentially 12+ years ago in RFC2461
(http://www.ietf.org/rfc/rfc2461.txt) and lat
On Thu, 19 Aug 2010 14:30:07 +0200
Joakim Aronius wrote:
> * Hannes Frederic Sowa (han...@mailcolloid.de) wrote:
> >
> > But most people just don't care. My proposal is to have some kind of
> > sane defaults for them e.g. changing their prefix every week or in the
> > case of a reconnect. This w
On 19/08/2010 10:23, jacob miller wrote:
Am looking for an opensource network monitoring tool with ability to create
different views for different users.
You could try our mildly unconventional NMS project :
http://www.observium.org
We try to focus on collection and presentation of informati
http://www.cfengine.org/
On Wed, Aug 18, 2010 at 5:16 PM, Rogelio wrote:
> Long story short, a really crappy vendor is being shoved down our
> NOC's throat. They have a horrid CLI (if you can call it that).
> People don't understand it (it's non-intuitive) and are screwing up
> things all the
Le 19/08/2010 11:23, jacob miller a écrit :
Am looking for an opensource network monitoring tool with ability to create
different views for different users.
Regards,Jacob
Hello,
Maybe nagvis could be what you need ?
Julien
45 matches
Mail list logo
