On Fri, 2010-08-20 at 21:34 -0400, Brandon Ross wrote:
So far I have not heard a single compelling argument for how the _transmittal_ of ICMP redirects can cause any signficicant harm to a network other than what the other typical protocols that are enabled by defualt (ping, can't fragement, etc) cause. I will make the statement:
I agree with you here, Brandon. I asked the question: "What is the real security hole?" because I cannot see any real risk here for MOST of the networks that I am involved in. I can see the possibility of MITM attacks with ICMP redirects, but that is not the case for (as you point out) a router that issues an ICMP redirect. Also, it is not my experience that most host OS have this disabled either. That being the case, it seems to me that eliminating the behavior of transmitting these redirects in a router are of little value in protecting against MITM attacks.
The transmittal of ICMP redirects by a router _cannot_ be exploited to create a man in the middle attack.
I'd have to agree with this. More because my limited research (which includes responses I've seen on this thread) seems to indicate that this is the case.
Before anyone responds to that statement, please read it very carefully. This statement does not comment on whether a host or router should be configured to _receive_ an ICMP redirect and act on it, that clearly can be used to create a MITM attack.
If a network has a single router, then wouldn't this also create a DOS situation under the right circumstances? I mean, if it can create MITM, it would HAVE to also create DOS possibilities. What is the distance of a route learned from an ICMP redirect? If it is greater than 0 (connected route) or 1 (static route) but less than the cost of other dynamically learned routes, then I can see the why this may be a problem for a router to respond to an ICMP redirect packet. -- ******************************************************************** * Butch Evans * Professional Network Consultation* * http://www.butchevans.com/ * Network Engineering * * http://store.wispgear.net/ * Wired or Wireless Networks * * http://blog.butchevans.com/ * ImageStream, Mikrotik and MORE! * ********************************************************************