On Fri, Aug 20, 2010 at 4:10 PM, Owen DeLong <owen@delong.com> wrote:
Redirects in IPv6 are no worse nor better an idea than unauthenticated RAs for default routers with nearly identical security implications.
this answered a different question... wanna try answering the question I posed originally? :) -chris
Owen
Sent from my iPad
On Aug 20, 2010, at 10:20 AM, Christopher Morrow <christopher.morrow@gmail.com> wrote:
Polling a little bit here, there's an active discussion going on 6man@ietf about whether or not v6 routers should: o be required to implement ip redirect functions (icmpv6 redirect) o be sending these by default
Essentially 12+ years ago in RFC2461 (http://www.ietf.org/rfc/rfc2461.txt) and later in RFC4861 (http://tools.ietf.org/html/rfc4861) there are a set of message types defined and use cases discussed which seem to lead to the idea that: routers should be reqiured to implement redirect logic/functionality routers should by default be enabled to send these redirect messages.
In ipv4 there's a relatively widely used practice of disabling ip redirects. secure router and secure host templates disable this functionality, and have for quite some time. There are a host of reasons for this I don't really want to debate them though :) It would be instructive to get a sense of how many folks do NOT disable this sort of thing, or how many folks RELY on these functions working in their network build today.
For the 6man discussion though, I presume that in ipv4 we take a set of configs/actions because of somewhat sane reasons, I suspect we would want to have the same config/end-state in v6? One proposal is to do this with: o routers are required to be able to send redirect messages o routers should NOT do this by default
With the proviso that some consenting adults may choose to enable by default on certain platforms (cabl/dsl CPE, enterprise-LAN)... if that muddies the waters it'd be nice to just hear about the proposal there and leave the hinkiness of the rest out of the picture :) I hope that folks who currently run v6 network(s) might respond, there are quite a few v6 operators here... I'm looking at you owen/jjb/au-dsl-folk... :)
thanks for your time, of couse if you want to chat more directly about this the 6man list is open and at: <http://www.ietf.org/mail-archive/web/ipv6/current/maillist.html>
-Chris