Re: Discarding inbound ICMP REDIRECT by default

From: Rodney W. Grimes <freebsd-rwg_at_gndrsh.dnsmgr.net>
Date: Fri, 14 Jun 2024 15:13:20 UTC
> On Fri, 14 Jun 2024 at 09:52, Rodney W. Grimes
> <freebsd-rwg@gndrsh.dnsmgr.net> wrote:
> > >
> > > I would argue that having IP forwarding enabled (i.e.
> > > net.inet.ip.forwarding for IPv4) is what establishes FreeBSD as a
> > > router, and ICMP REDIRECT messages are already dropped in kernel in
> > > that case.
> >
> > Yet another mistake by FreeBSD.  These ICMP dropping or not dropping
> > are SITE SPECIFIC POLICIES, and should never be hard coded to wrong
> > knobs.
> 
> This change dates to 2004:
> 
> commit 87c3bd275523515dc67444b900a8f1d39ae257cd
> Author: Andre Oppermann <andre@FreeBSD.org>
> Date:   Tue Jan 6 23:20:07 2004 +0000
> 
>     According to RFC1812 we have to ignore ICMP redirects when we
                           ^^^^^^^^^^

Incorrect interpretation of ietf keyword "MAY".

>     are acting as router (ipforwarding enabled).
> 
>     This doesn't fix the problem that host routes from ICMP redirects
>     are never removed from the kernel routing table but removes the
>     problem for machines doing packet forwarding.
> 
> RFC1812 is not quite that explicit, but:
> 
> | A router using a routing protocol (other than static routes) MUST NOT
> | consider paths learned from ICMP Redirects when forwarding a packet.
> | If a router is not using a routing protocol, a router MAY have a
> | configuration that, if set, allows the router to consider routes
> | learned through ICMP Redirects when forwarding packets.

That section is about how the router responds to an ICMP redirect
set to IT, not one that is going THROUGH it.

5.2.7.2 about generating redirects is also not relavant here,
as we are discussing forwarding redirects.

As far as I can find RFC1812 does NOT discuss the issue of forwarind
ICMP REDIRECTs.

-- 
Rod Grimes                                                 rgrimes@freebsd.org