On Aug 21, 2010, at 12:20 AM, Christopher Morrow wrote:
o routers are required to be able to send redirect messages o routers should NOT do this by default
I concur with this position from an opsec standpoint; at the same time, I don't know that *mandating* a default configuration setting for a legal (if largely iatrogenic) mode of operation is something that the IETF should be doing. Here's an alternate formulation which gets the point across, but doesn't stray into the area of : 1. Routers are required to be able to send redirect messages. 2. It is recommended that routers should NOT do this by default. As was mentioned somewhere in the 6man thread, the root of the problem has to do with the ugliness of IPv6 in general, and the whole v6 ICMP/ND mess in particular. Unfortunately, those ships have long since sailed; while it's tempting to try and retrofit fixes for poor design decisions in the fundamental protocol specifications by mandating sane implementation defaults in conformance documents, a recommendation rather than a mandate seems more situationally-appropriate in this context. The 'right way', impractical though it may be, is in fact to fix this problem is to go back and fix the protocol specifications; since that isn't going to happen, making recommendations gets the point across without being overbearing. YMMV, of course. ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken