On Wed, 2010-08-25 at 20:08 -0500, James Hess wrote:
On Fri, Aug 20, 2010 at 4:08 PM, Butch Evans <butche@butchevans.com> wrote: I would suggest the recommendation be that ICMP Redirects, proxy ARP, directed broadcast, source routing, and acceptance/usage of all fancy/surprising features should be off by default.
Off by default, but be supported is my recommendation. I am assuming that the function in IPv6 is the same (or similar) to that of IPv4. There was another post in this thread (I can't recall who it was that posted it) that indicated there was more to the redirect in v6 than for v4, but I am not yet very familiar with v6.
"surprising" is defined as the sort of thing that is nonessential, has questionable benefits,
Perhaps "questionable" to you, but I have had specific need to have ICMP redirect for two specific networks. In those networks it WAS essential and had a very specific, measurable benefit.
Redirects seem to fall into the non-essential with questionable benefits (in most cases) category.
You are being a little presumptuous here. Perhaps for "most cases", I'd agree that they are non-essential, but there are cases where it is desirable and lack of support (as in the PIX) makes things very difficult at times.
If none of your hosts accept redirects, then it is not really apparent that redirects are harmful. If some of your hosts accept redirects, then redirects may be capable of causing headaches.
In one case where I needed ICMP redirect to work, I had 2 routers on the network (one was a Linux device and the other was a PIX). Each of these were terminating VPNs from various sources. There were several (about 90) hosts on the LAN segment. Each of these hosts had the PIX as their default route. It would have been a very simple matter to add routes to the PIX and have it redirect the traffic destined for the remote networks behind the Linux device. The PIX, however, does not support ICMP redirects AT ALL. I'm all for securing a network segment, but failure to support a valid function of ICMP is one reason I have never purchased a PIX...and never will. I can see your point that it should be off by default. But to be off and not even supported is just wrong, IMHO. -- ******************************************************************** * Butch Evans * Professional Network Consultation* * http://www.butchevans.com/ * Network Engineering * * http://store.wispgear.net/ * Wired or Wireless Networks * * http://blog.butchevans.com/ * ImageStream, Mikrotik and MORE! * ********************************************************************