On Aug 20, 2010, at 2:54 PM, Valdis.Kletnieks@vt.edu wrote:
On Fri, 20 Aug 2010 16:08:19 CDT, Butch Evans said:
Maybe I'm missing something. Can you point me to something that will help my understand WHY an ICMP redirect is such a huge security concern? For most of the networks that I manage (or help to manage), I can see no reason why this would be an issue.
In general, it's not a big deal, except that unlike a proper routing protocol where you can redirect a /16 or a /default at a time and withdraw it when needed, ICMP redirects tend to form host routes that have to individually be redirected back if the routing flips back to its original status.
Until a PC or something on the network gets pwned, and issues selective forged ICMP redirects to declare itself a router and the appropriate destination for some traffic, which it can then MITM to its heart's content. *Then* you truly have a manure-on-fan situation.
This is worse than said PC issuing rogue RAs exactly how? Perhaps we should pressure switch vendors to add ICMP Redirect protection to the RA Guard feature they haven't implemented yet? Owen