ICMP redirects and FreeBSD
Brett Glass
brett at lariat.net
Sun Sep 18 21:05:39 UTC 2011
At 11:06 PM 9/17/2011, Brian Seklecki (Mobile) wrote:
>Only a few unsound routing/network topology configurations really
>depend on redirects these days; They can't be trusted because they
>can't be authenticated? ~BAS
There's no cryptologically sound authentication, true, but there
isn't for proxy ARP either (and that's one of the other options
that I'd rather not use). Redirects do have the advantage that they
can be firewalled, so that they will not be allowed to originate
outside the network and will only be accepted from certain trusted
hosts within it. If the firewall rules are correct, an outside
attacker can't spoof redirects.
My interest in this is that I am trying to figure out the best way
to manage a routed corporate network with rapidly changing topology
and frequent assignments and reassignments of addresses and address
blocks. RIP is a disastrous mess and very chatty. But allowing a
gateway to tell routers "below" it in the network hierarchy about
one another's address assignments via ICMP redirects is very
efficient and manageable. It means that only the gateway's routing
table must be updated to do an address assignment. What's more,
there's virtually zero propagation time and no flapping.
The problem seems to be that RFC 1821 ignores this use of ICMP
redirects. It recommends not allowing any router to accept ICMP
redirects, and this appears to have been hard coded into FreeBSD's
network stack.
--Brett Glass
More information about the freebsd-questions
mailing list