On Tue, Jan 15, 2013 at 09:46:37AM -0600, Karl O. Pinc wrote: > Something that's not mentioned that > comes to mind is ICMP redirection. (Without thinking > about it a lot it seems like it should be a good candidate.) > However when I tried ICMP redirection on OpenBSD > years ago I couldn't get it to work. Never looked to see why, > or whether it's been fixed since. Or, I might have been doing > something wrong. If anyone can send a clue my way > I'd appreciate knowing more.
An ICMP redirect, if it is honored by a client, does not mean "if you want to talk to external-server, connect to proxy-on-local-network instead", but "if you want to reach external-server, route through next-hop-on-local-network". The difference is that the reaction will not change the destination IP address, but the destination MAC address. Its really the same as if you added a temporary host route on the client. The proxy will simply ignore the IP packet for a foreign IP address sent to its MAC address (like a default gateway that has IP forwarding disabled). OpenBSD ignores ICMP redirects by default, you can enable it with sysctl net.inet.icmp.rediraccept, if you want to try. The security risk is that someone on the local network could send you ICMP redirects for various destinations (like DNS server), for a man-in-the-middle attack. Daniel
