* Stuart Henderson <[email protected]> [2009-06-08 22:27:40 +0100]: >On 2009/06/08 20:29, Rainer Giedat wrote: >> On Mon, Jun 08, 2009 at 04:26:35PM +0100, Stuart Henderson wrote: >> > Prompted by an undeadly post [0]. What does anyone think about >> > disabling acceptance of ICMP redirects by default? I had a look >> > in a few relevant places and didn't notice any discussion about >> > this before, but if my google/grep-fu is lacking, please point >> > me in the right direction. >> This may break parts of IPv6 Neighbor Discovery. >> >> See RFC 2461: >> "Hosts use the advertised on-link prefixes to >> build and maintain a list that is used in deciding when a packet's >> destination is on-link or beyond a router. Note that a destination >> can be on-link even though it is not covered by any advertised on- >> link prefix. In such cases a router can send a Redirect informing >> the sender that the destination is a neighbor." > >However it also talks about a source which "chooses to ignore >unauthenticated Redirect messages". And of course routers already >have to ignore Redirects. So it seems intended that things should >still work if hosts choose to ignore these messages. I don't see >how this would break v6 any more than disabling ICMPv4 redirects >breaks v4. > >For now, I'll switch the remaining ones of my v6-speakers over to >using rediraccept=0 (I changed some already) and see if I bump into >any problems. I currently run bgpd for IPv6, also tunnel some ipv6 netblocks to some friends for about 2 years now, I have always turned off those sysctl values, Im sure it breaks some things, however I have yet to come across any reports of breakage or unusual activity as of yet, I never used rtsol(d) and friebnds, I have a feeling interesting problems may occur if redirect was disabled on IPv6 for rtsold/rtadvd, I honestly like the proposed patch myself, im sure there are valid points to have it disabled or enabled per default.
Personally I dont think its a major issue if redirect was disabled per default be it ip4/ip6, if there are some possible problems with breaking neighbor discovery, it could be enabled after an install, I have been watching recent commits the past month or so, IIRC theres a minor sysctl utility on the install media, perhaps it could be adjusted manually?, (given that there would be enough room for another addition), Im honestly no real fan of IPv6, Its literally the last thing I configure on my machines at this time as I have yet to run into a provider that primarily uses IP6 v IP4. Though I would not be surprised if some countries, places etc do use IP6 which may cause for some problems if there are issues with neighbor discovery, perhaps it might be best to just keep it enabled per default Perhaps this request might get a more complicated than originally thought, and like Stuart I have always pondered this question myself as I dont ever recall any discussions about this issue before myself. ;) -Zak >> > [0] >> > http://undeadly.org/cgi?action=article&sid=20090605213724&pid=30&mode=flat >> > >> > >> > Index: etc/sysctl.conf >> > =================================================================== >> > RCS file: /cvs/src/etc/sysctl.conf,v >> > retrieving revision 1.46 >> > diff -u -p -r1.46 sysctl.conf >> > --- etc/sysctl.conf 5 Jan 2008 18:38:37 -0000 1.46 >> > +++ etc/sysctl.conf 8 Jun 2009 15:19:57 -0000 >> > @@ -7,6 +7,8 @@ >> > #net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets >> > #net.inet.ip.mforwarding=1 # 1=Permit forwarding (routing) of IPv4 >> > multicast packets >> > #net.inet.ip.multipath=1 # 1=Enable IP multipath routing >> > +#net.inet.icmp.rediraccept=1 # 1=Accept ICMP redirects >> > +#net.inet6.icmp6.rediraccept=1 # 1=Accept IPv6 ICMP redirects >> > #net.inet6.ip6.forwarding=1 # 1=Permit forwarding (routing) of IPv6 >> > packets >> > #net.inet6.ip6.mforwarding=1 # 1=Permit forwarding (routing) of IPv6 >> > multicast packets >> > #net.inet6.ip6.multipath=1 # 1=Enable IPv6 multipath routing >> > Index: sys/netinet/ip_icmp.c >> > =================================================================== >> > RCS file: /cvs/src/sys/netinet/ip_icmp.c,v >> > retrieving revision 1.83 >> > diff -u -p -r1.83 ip_icmp.c >> > --- sys/netinet/ip_icmp.c 5 Jun 2009 00:05:22 -0000 1.83 >> > +++ sys/netinet/ip_icmp.c 8 Jun 2009 15:19:57 -0000 >> > @@ -113,7 +113,7 @@ int icmpprintfs = 0; >> > int icmperrppslim = 100; >> > int icmperrpps_count = 0; >> > struct timeval icmperrppslim_last; >> > -int icmp_rediraccept = 1; >> > +int icmp_rediraccept = 0; >> > int icmp_redirtimeout = 10 * 60; >> > static struct rttimer_queue *icmp_redirect_timeout_q = NULL; >> > struct icmpstat icmpstat; >> > Index: sys/netinet6/in6_proto.c >> > =================================================================== >> > RCS file: /cvs/src/sys/netinet6/in6_proto.c,v >> > retrieving revision 1.57 >> > diff -u -p -r1.57 in6_proto.c >> > --- sys/netinet6/in6_proto.c 25 Nov 2008 12:11:45 -0000 1.57 >> > +++ sys/netinet6/in6_proto.c 8 Jun 2009 15:19:57 -0000 >> > @@ -299,7 +299,7 @@ u_long rip6_sendspace = RIPV6SNDQ; >> > u_long rip6_recvspace = RIPV6RCVQ; >> > >> > /* ICMPV6 parameters */ >> > -int icmp6_rediraccept = 1; /* accept and process redirects >> > */ >> > +int icmp6_rediraccept = 0; /* accept and process redirects >> > */ >> > int icmp6_redirtimeout = 10 * 60; /* 10 minutes */ >> > struct timeval icmp6errratelim = { 0, 0 }; /* no ratelimit */ >> > int icmp6errppslim = 100; /* 100pps */
