On Fri, 2010-08-20 at 16:03 -0400, Jared Mauch wrote:
One of the challenges is that some vendors have a poor track-record of documenting these defaults. this means unless you frequently sample your network traffic, you may not see your device sending decnet mop messages, or ipv6 redirects :)
I agree.
Personally (and as the instigator in the ipv6/6man discussion) if the vendors could be trusted to expose their default settings in their configs, i would find a default of ON to be more acceptable.
The reason it doesn't matter to me WHICH one it is (on OR off) is because if/when a need arises to have ICMP redirect to be working (this is the exception and NOT the norm), it is easy to see why things do not work as expected. If my preferred gear is a Linux box (and it is, usually), and for some reason I need this to work, I simply run a tcpdump to capture the packets and I see that the redirect (which would be expected) is missing, then I can easily fix the problem by enabling that feature. Same is true for the reverse.
If people want to hang themselves that's their problem, but at least they won't come with a hidden noose around their neck.
Maybe I'm missing something. Can you point me to something that will help my understand WHY an ICMP redirect is such a huge security concern? For most of the networks that I manage (or help to manage), I can see no reason why this would be an issue. -- ******************************************************************** * Butch Evans * Professional Network Consultation* * http://www.butchevans.com/ * Network Engineering * * http://store.wispgear.net/ * Wired or Wireless Networks * * http://blog.butchevans.com/ * ImageStream, Mikrotik and MORE! * ********************************************************************