From nobody Thu Jun 13 20:51:02 2024 X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4W0ZMC0qQcz5PKnS for ; Thu, 13 Jun 2024 20:51:19 +0000 (UTC) (envelope-from bakul@iitbombay.org) Received: from mail-pf1-x434.google.com (mail-pf1-x434.google.com [IPv6:2607:f8b0:4864:20::434]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4W0ZMB2wCJz44xD for ; Thu, 13 Jun 2024 20:51:18 +0000 (UTC) (envelope-from bakul@iitbombay.org) Authentication-Results: mx1.freebsd.org; none Received: by mail-pf1-x434.google.com with SMTP id d2e1a72fcca58-704189f1225so1400812b3a.0 for ; Thu, 13 Jun 2024 13:51:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iitbombay-org.20230601.gappssmtp.com; s=20230601; t=1718311876; x=1718916676; darn=freebsd.org; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=oTnyIMiDDe7GFvmwoZxKBWInJwAjt5mcNNodTELGmOE=; b=DG7qpoiXbIZ5Lz/9+x3OKZkjRNQ3OYaD3oIaeYqfLVJM5+Ggy6pHj39MzeEfN+L7kV XjFhSyHLmvu6sFYDkPCxljFq5+DUeIK1uD8tKFf5G8/KAnVr82eLPqujjn6IbTCLQCbW THR3B119THQ+z8N8fV8ygs9XAWgxR0IePpIOrza/zG+ozaiJD2Zu1B7yhEZTQYG7MV78 Ko2IGWFS/tSgV2D6RDD6fEIFzPbhCZO9QR7Ab+kn+zBXsuowe9JcrOW05LZUcYnGNAql LWBlKQp+6AFY1FZZztlXB/eZZXNOY1delVLkK6kAQp9GIvPlrrnqdSSWd3ujCBycsG+f HWnA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718311876; x=1718916676; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=oTnyIMiDDe7GFvmwoZxKBWInJwAjt5mcNNodTELGmOE=; b=u/yKuDxzwhypE/f9UKOxEjx2ofnDmthOYkXy5VgLMT36s41hkbEFunE0cVAgRMdhyJ PPcAFZjJqdMCP1VjtOmNX75isAkbQfzA4RJaPtefa6NGkmj0o+uBDQsiBfDD30lNRNdH ApJprED1ObYiq1Jm68hVl9Tze8hykyAlx1NH0IthgZi/O7fAEgMUxV8dYOYrWTc6jWl8 9+mJ4FDC4dXPg5nuau8wwYrFjQhPHZKzbHI58EATQtgAFcUBO8+RtC2XZsD0vq0kObb8 Zv6tyoTGruNtUNpb7qAmYANrlzo/IYzzdrbFE/OHLMnt2S1gTbRQMHVE2jgvuAZI4Ly3 IgFw== X-Forwarded-Encrypted: i=1; AJvYcCVBGEEkUsxF9Mw2UVKI2yNLG73kuxkydHEQ9bCQJRcEKU7jpXYxEsL2dLvaTq5+++IUXOPFQv/mEKyvZcKyqSVK/Z0YvUDQPA== X-Gm-Message-State: AOJu0YyLGzxzLHUbg6cq86Xv5U9NQb3Oki/v0Ssmrdb5AGToq1LTCDTd 7tjuRwyS2wHcF0PvuwJUduNfxllE+ORyPWxrQrcP462y7wL5XcNu3YBrYbeCqcqUBpATixYZP6w = X-Google-Smtp-Source: AGHT+IHPI9ATw1SnccUWRhocUv6p6pzzh0MJqo5rho54KnNEAbOOdFvcNO4pDJZNHPS0HCAcNbFqoQ== X-Received: by 2002:a05:6a20:3caa:b0:1b7:d5d5:415b with SMTP id adf61e73a8af0-1bae82b8ccamr1142564637.57.1718311876466; Thu, 13 Jun 2024 13:51:16 -0700 (PDT) Received: from smtpclient.apple (107-215-223-229.lightspeed.sntcca.sbcglobal.net. [107.215.223.229]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-705cc967356sm1759866b3a.63.2024.06.13.13.51.15 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 13 Jun 2024 13:51:15 -0700 (PDT) Content-Type: text/plain; charset=utf-8 List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@FreeBSD.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.600.62\)) Subject: Re: Discarding inbound ICMP REDIRECT by default From: Bakul Shah In-Reply-To: <202406131339.45DDdDma044779@gndrsh.dnsmgr.net> Date: Thu, 13 Jun 2024 13:51:02 -0700 Cc: Ed Maste , FreeBSD Net Content-Transfer-Encoding: quoted-printable Message-Id: References: <202406131339.45DDdDma044779@gndrsh.dnsmgr.net> To: "Rodney W. Grimes" X-Mailer: Apple Mail (2.3774.600.62) X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US] X-Rspamd-Queue-Id: 4W0ZMB2wCJz44xD On Jun 13, 2024, at 6:39=E2=80=AFAM, Rodney W. Grimes = wrote: >=20 >> I propose that we start dropping inbound ICMP REDIRECTs by default, = by >> setting the net.inet.icmp.drop_redirect sysctl to 1 by default (and >> changing the associated rc.conf machinery). I've opened a Phabricator >> review at https://reviews.freebsd.org/D45102. >>=20 >> ICMP REDIRECTs served a useful purpose in earlier networks, but on >> balance are more likely to represent a security issue today than to >> provide a routing benefit. With the change in review it is of course >> still possible to enable them if desired for a given installation. >> This change would appear in FreeBSD 15.0 and would not be MFC'd. >>=20 >> One question raised in the review is about switching the default to >> YES but keeping the special handling for "auto" (dropping ICMP >> REDIRECT if a routing daemon is in use, honouring them if not). I >> don't think this is particularly valuable given that auto was >> introduced to override the default NO when necessary; there's no need >> for it with the default being YES. That functionality could be >> maintained if there is a compelling use case, though. >>=20 >> If you have any questions or feedback please follow up here or in the = review. >=20 > Discarding ICMP redirects on a internet host is non-conformant with > STD-3 via rfc-1122. Processing of ICMP rediects is a MUST for hosts. Back when we did a router startup, I carefully read significant portions of rfc1122 + rfc1812 several times over. Rodney is 100% right here but the larger issue is following relevant standards or RFCs. Anyone contemplating such changes should become intimately familiar with these two documents (+ any update RFCs). [Not to mention there should be tests checking conformance]=