ICMP redirects and FreeBSD

Brett Glass brett at lariat.net
Sun Sep 18 21:05:39 UTC 2011

At 11:06 PM 9/17/2011, Brian Seklecki (Mobile) wrote:

>Only a few unsound routing/network topology configurations really 
>depend on redirects these days; They can't be trusted because they 
>can't be authenticated?  ~BAS

There's no cryptologically sound authentication, true, but there 
isn't for proxy ARP either (and that's one of the other options 
that I'd rather not use). Redirects do have the advantage that they 
can be firewalled, so that they will not be allowed to originate 
outside the network and will only be accepted from certain trusted 
hosts within it. If the firewall rules are correct, an outside 
attacker can't spoof redirects.

My interest in this is that I am trying to figure out the best way 
to manage a routed corporate network with rapidly changing topology 
and frequent assignments and reassignments of addresses and address 
blocks. RIP is a disastrous mess and very chatty. But allowing a 
gateway to tell routers "below" it in the network hierarchy about 
one another's address assignments via ICMP redirects is very 
efficient and manageable. It means that only the gateway's routing 
table must be updated to do an address assignment. What's more, 
there's virtually zero propagation time and no flapping.

The problem seems to be that RFC 1821 ignores this use of ICMP 
redirects. It recommends not allowing any router to accept ICMP 
redirects, and this appears to have been hard coded into FreeBSD's 
network stack.

--Brett Glass

More information about the freebsd-questions mailing list