Re: Discarding inbound ICMP REDIRECT by default
- In reply to: Rodney W. Grimes: "Re: Discarding inbound ICMP REDIRECT by default"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 13 Jun 2024 20:51:02 UTC
On Jun 13, 2024, at 6:39 AM, Rodney W. Grimes <freebsd-rwg@gndrsh.dnsmgr.net> wrote: > >> I propose that we start dropping inbound ICMP REDIRECTs by default, by >> setting the net.inet.icmp.drop_redirect sysctl to 1 by default (and >> changing the associated rc.conf machinery). I've opened a Phabricator >> review at https://reviews.freebsd.org/D45102. >> >> ICMP REDIRECTs served a useful purpose in earlier networks, but on >> balance are more likely to represent a security issue today than to >> provide a routing benefit. With the change in review it is of course >> still possible to enable them if desired for a given installation. >> This change would appear in FreeBSD 15.0 and would not be MFC'd. >> >> One question raised in the review is about switching the default to >> YES but keeping the special handling for "auto" (dropping ICMP >> REDIRECT if a routing daemon is in use, honouring them if not). I >> don't think this is particularly valuable given that auto was >> introduced to override the default NO when necessary; there's no need >> for it with the default being YES. That functionality could be >> maintained if there is a compelling use case, though. >> >> If you have any questions or feedback please follow up here or in the review. > > Discarding ICMP redirects on a internet host is non-conformant with > STD-3 via rfc-1122. Processing of ICMP rediects is a MUST for hosts. Back when we did a router startup, I carefully read significant portions of rfc1122 + rfc1812 several times over. Rodney is 100% right here but the larger issue is following relevant standards or RFCs. Anyone contemplating such changes should become intimately familiar with these two documents (+ any update RFCs). [Not to mention there should be tests checking conformance]