On 2009/06/08 20:29, Rainer Giedat wrote: > On Mon, Jun 08, 2009 at 04:26:35PM +0100, Stuart Henderson wrote: > > Prompted by an undeadly post [0]. What does anyone think about > > disabling acceptance of ICMP redirects by default? I had a look > > in a few relevant places and didn't notice any discussion about > > this before, but if my google/grep-fu is lacking, please point > > me in the right direction. > This may break parts of IPv6 Neighbor Discovery. > > See RFC 2461: > "Hosts use the advertised on-link prefixes to > build and maintain a list that is used in deciding when a packet's > destination is on-link or beyond a router. Note that a destination > can be on-link even though it is not covered by any advertised on- > link prefix. In such cases a router can send a Redirect informing > the sender that the destination is a neighbor."
However it also talks about a source which "chooses to ignore unauthenticated Redirect messages". And of course routers already have to ignore Redirects. So it seems intended that things should still work if hosts choose to ignore these messages. I don't see how this would break v6 any more than disabling ICMPv4 redirects breaks v4. For now, I'll switch the remaining ones of my v6-speakers over to using rediraccept=0 (I changed some already) and see if I bump into any problems. > > > > > [0] > > http://undeadly.org/cgi?action=article&sid=20090605213724&pid=30&mode=flat > > > > > > Index: etc/sysctl.conf > > =================================================================== > > RCS file: /cvs/src/etc/sysctl.conf,v > > retrieving revision 1.46 > > diff -u -p -r1.46 sysctl.conf > > --- etc/sysctl.conf 5 Jan 2008 18:38:37 -0000 1.46 > > +++ etc/sysctl.conf 8 Jun 2009 15:19:57 -0000 > > @@ -7,6 +7,8 @@ > > #net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets > > #net.inet.ip.mforwarding=1 # 1=Permit forwarding (routing) of IPv4 > > multicast packets > > #net.inet.ip.multipath=1 # 1=Enable IP multipath routing > > +#net.inet.icmp.rediraccept=1 # 1=Accept ICMP redirects > > +#net.inet6.icmp6.rediraccept=1 # 1=Accept IPv6 ICMP redirects > > #net.inet6.ip6.forwarding=1 # 1=Permit forwarding (routing) of IPv6 > > packets > > #net.inet6.ip6.mforwarding=1 # 1=Permit forwarding (routing) of IPv6 > > multicast packets > > #net.inet6.ip6.multipath=1 # 1=Enable IPv6 multipath routing > > Index: sys/netinet/ip_icmp.c > > =================================================================== > > RCS file: /cvs/src/sys/netinet/ip_icmp.c,v > > retrieving revision 1.83 > > diff -u -p -r1.83 ip_icmp.c > > --- sys/netinet/ip_icmp.c 5 Jun 2009 00:05:22 -0000 1.83 > > +++ sys/netinet/ip_icmp.c 8 Jun 2009 15:19:57 -0000 > > @@ -113,7 +113,7 @@ int icmpprintfs = 0; > > int icmperrppslim = 100; > > int icmperrpps_count = 0; > > struct timeval icmperrppslim_last; > > -int icmp_rediraccept = 1; > > +int icmp_rediraccept = 0; > > int icmp_redirtimeout = 10 * 60; > > static struct rttimer_queue *icmp_redirect_timeout_q = NULL; > > struct icmpstat icmpstat; > > Index: sys/netinet6/in6_proto.c > > =================================================================== > > RCS file: /cvs/src/sys/netinet6/in6_proto.c,v > > retrieving revision 1.57 > > diff -u -p -r1.57 in6_proto.c > > --- sys/netinet6/in6_proto.c 25 Nov 2008 12:11:45 -0000 1.57 > > +++ sys/netinet6/in6_proto.c 8 Jun 2009 15:19:57 -0000 > > @@ -299,7 +299,7 @@ u_long rip6_sendspace = RIPV6SNDQ; > > u_long rip6_recvspace = RIPV6RCVQ; > > > > /* ICMPV6 parameters */ > > -int icmp6_rediraccept = 1; /* accept and process redirects > > */ > > +int icmp6_rediraccept = 0; /* accept and process redirects > > */ > > int icmp6_redirtimeout = 10 * 60; /* 10 minutes */ > > struct timeval icmp6errratelim = { 0, 0 }; /* no ratelimit */ > > int icmp6errppslim = 100; /* 100pps */
