On Fri, 20 Aug 2010 18:16:35 EDT, Brandon Ross said:
How does turning off ICMP redirects on the router prevent a rouge PC from sending ICMP redirects to it's neighbors?
If I know for a fact that the network is designed such that I will never ever receive a valid ICMP redirect because there is exactly one route off the network, I can safely turn off "accept ICMP redirects" and be done with it. If I have to allow ICMP in, it becomes a much more interesting iptables/whatever issue. On Fri, 20 Aug 2010 15:34:17 PDT, Owen DeLong said:
This is worse than said PC issuing rogue RAs exactly how?
It's the exact same problem, actually.
Perhaps we should pressure switch vendors to add ICMP Redirect protection to the RA Guard feature they haven't implemented yet?
You mean you aren't already? ;)