On Mon, Jun 08, 2009 at 10:27:40PM +0100, Stuart Henderson wrote:
> On 2009/06/08 20:29, Rainer Giedat wrote:
> > On Mon, Jun 08, 2009 at 04:26:35PM +0100, Stuart Henderson wrote:
> > > Prompted by an undeadly post [0]. What does anyone think about
> > > disabling acceptance of ICMP redirects by default? I had a look
> > > in a few relevant places and didn't notice any discussion about
> > > this before, but if my google/grep-fu is lacking, please point
> > > me in the right direction.
> > This may break parts of IPv6 Neighbor Discovery.
> >
> > See RFC 2461:
> > "Hosts use the advertised on-link prefixes to
> > build and maintain a list that is used in deciding when a packet's
> > destination is on-link or beyond a router. Note that a destination
> > can be on-link even though it is not covered by any advertised on-
> > link prefix. In such cases a router can send a Redirect informing
> > the sender that the destination is a neighbor."
>
> However it also talks about a source which "chooses to ignore
> unauthenticated Redirect messages". And of course routers already
> have to ignore Redirects. So it seems intended that things should
> still work if hosts choose to ignore these messages. I don't see
> how this would break v6 any more than disabling ICMPv4 redirects
> breaks v4.
>
> For now, I'll switch the remaining ones of my v6-speakers over to
> using rediraccept=0 (I changed some already) and see if I bump into
> any problems.
Right.
In this case, i would love to have not accepting redirects as default.
Redirects are scary. :)
