Re: Discarding inbound ICMP REDIRECT by default

From: Bakul Shah <bakul_at_iitbombay.org>
Date: Thu, 13 Jun 2024 20:51:02 UTC
On Jun 13, 2024, at 6:39 AM, Rodney W. Grimes <freebsd-rwg@gndrsh.dnsmgr.net> wrote:
> 
>> I propose that we start dropping inbound ICMP REDIRECTs by default, by
>> setting the net.inet.icmp.drop_redirect sysctl to 1 by default (and
>> changing the associated rc.conf machinery). I've opened a Phabricator
>> review at https://reviews.freebsd.org/D45102.
>> 
>> ICMP REDIRECTs served a useful purpose in earlier networks, but on
>> balance are more likely to represent a security issue today than to
>> provide a routing benefit. With the change in review it is of course
>> still possible to enable them if desired for a given installation.
>> This change would appear in FreeBSD 15.0 and would not be MFC'd.
>> 
>> One question raised in the review is about switching the default to
>> YES but keeping the special handling for "auto" (dropping ICMP
>> REDIRECT if a routing daemon is in use, honouring them if not). I
>> don't think this is particularly valuable given that auto was
>> introduced to override the default NO when necessary; there's no need
>> for it with the default being YES. That functionality could be
>> maintained if there is a compelling use case, though.
>> 
>> If you have any questions or feedback please follow up here or in the review.
> 
> Discarding ICMP redirects on a internet host is non-conformant with
> STD-3 via rfc-1122.  Processing of ICMP rediects is a MUST for hosts.

Back when we did a router startup, I carefully read significant portions
of rfc1122 + rfc1812 several times over. Rodney is 100% right here but
the larger issue is following relevant standards or RFCs. Anyone
contemplating such changes should become intimately familiar with these
two documents (+ any update RFCs). [Not to mention there should be tests
checking conformance]