On Wed, 2010-08-25 at 20:08 -0500, James Hess wrote:
> On Fri, Aug 20, 2010 at 4:08 PM, Butch Evans wrote:
> I would suggest the recommendation be that ICMP Redirects, proxy ARP,
> directed broadcast, source routing, and acceptance/usage
> of all fancy/surprising features should be off by defa
On Fri, Aug 20, 2010 at 4:08 PM, Butch Evans wrote:
I would suggest the recommendation be that ICMP Redirects, proxy ARP,
directed broadcast, source routing, and acceptance/usage
of all fancy/surprising features should be off by default. Where
"surprising" is defined as the sort of thing tha
On Wed, 25 Aug 2010 01:18:15 -0400
Christopher Morrow wrote:
> On Tue, Aug 24, 2010 at 4:32 PM, William Herrin wrote:
> > On Fri, Aug 20, 2010 at 1:20 PM, Christopher Morrow
> > wrote:
> >> Polling a little bit here, there's an active discussion going on
> >> 6...@ietf about whether or not v6 r
On Aug 24, 2010, at 4:32 PM, William Herrin wrote:
On Fri, Aug 20, 2010 at 1:20 PM, Christopher Morrow
wrote:
Polling a little bit here, there's an active discussion going on
6...@ietf about whether or not v6 routers should:
o be required to implement ip redirect functions (icmpv6 redirect)
> A host SHOULD support listening to redirects and MUST have a knob to
> turn off this listening if implemented. A router MUST have redirects
> off as default but MUST support a knob turning them on and when
> sending a redirect it MUST forward the packet that generated the
> redirect.
wfm
randy
On Wed, 25 Aug 2010, Stephen Stuart wrote:
Once upon a time
I think the question is what sensible defaults should be. In my
environment we turn off proxy-arp and redirects, and it is my firm belief
that this is actually what should be the default.
In my opinion:
A host SHOULD support list
> > Forgetting all of the theoretical constructs for a moment, has anyone
> > here personally encountered an operational scenario in which ICMP
> > redirects solved a problem for you that you would otherwise have found
> > difficult or intransigent? Without naming names, would you describe
> > the
On Tue, Aug 24, 2010 at 4:32 PM, William Herrin wrote:
> On Fri, Aug 20, 2010 at 1:20 PM, Christopher Morrow
> wrote:
>> Polling a little bit here, there's an active discussion going on
>> 6...@ietf about whether or not v6 routers should:
>> o be required to implement ip redirect functions (icmp
On Fri, 2010-08-20 at 21:34 -0400, Brandon Ross wrote:
> So far I have not heard a single compelling argument for how the
> _transmittal_ of ICMP redirects can cause any signficicant harm to a
> network other than what the other typical protocols that are enabled by
> defualt (ping, can't frage
On Tue, 24 Aug 2010 13:25:01 -0700
"David W. Hankins" wrote:
> On Sun, Aug 22, 2010 at 10:12:01AM +0930, Mark Smith wrote:
> > o allow an IPv6 router to indicate to an end-node that the destination
> > it is attempting to send to is onlink. This situation occurs when the
> > router is more infor
On Fri, Aug 20, 2010 at 1:20 PM, Christopher Morrow
wrote:
> Polling a little bit here, there's an active discussion going on
> 6...@ietf about whether or not v6 routers should:
> o be required to implement ip redirect functions (icmpv6 redirect)
> o be sending these by default
Hi Chris,
If yo
On Tue, Aug 24, 2010 at 01:02:49PM -0700, David W. Hankins wrote:
> will ultimately be cleaned. If the destination is reused later,
>
Ah, I forgot to complete this thought in editing.
If packets are sent to the destination later (after a cache entry is
expired) the host obviously starts over as
On Sun, Aug 22, 2010 at 10:12:01AM +0930, Mark Smith wrote:
> o allow an IPv6 router to indicate to an end-node that the destination
> it is attempting to send to is onlink. This situation occurs when the
> router is more informed than the origin end-node about what prefixes
> are onlink.
>
> Thi
On Fri, Aug 20, 2010 at 07:49:43PM -0400, Ricky Beam wrote:
> I think it's almost universally disabled (by default) everywhere in IPv4
> purely for security (traffic interception.) In a perfectly run network,
> redirects should never be necessary, so I'd think IPv6 should avoid going
> down tha
On Sat, 21 Aug 2010 20:42:01 -0400, Mark Smith
wrote:
In IPv6, redirects serve two purposes, where as in IPv4 they only
served one -
IPv4 redirects serve exactly the same two situations... both are
situations where a router would be required to hairpin a packet -- either
the destination i
On Sat, 21 Aug 2010 09:12:47 -0500
Jack Bates wrote:
> Eric J. Katanich wrote:
> >
> > You disable it on the host and if no host is using it, you might as well
> > disable it on the router as wel. Others mentioned
> > some routers need to handle this in software instead of hardware, which
> >
On Sat, 21 Aug 2010 10:32:00 -0400
Jared Mauch wrote:
>
> On Aug 21, 2010, at 10:12 AM, Jack Bates wrote:
>
> > Eric J. Katanich wrote:
> >> You disable it on the host and if no host is using it, you might as well
> >> disable it on the router as wel. Others mentioned
> >> some routers need to
I appreciate the discussion.. Eric, are you reflecting messages back
to the list without additional content for a reason?
list-admin folks, could we ping eric and see what's busted?
On Fri, Aug 20, 2010 at 9:08 PM, Eric J. Katanich wrote:
> On 08/21/2010 02:08 AM, Brandon Ross wrote:
>> On Fri,
On Aug 21, 2010, at 10:12 AM, Jack Bates wrote:
> Eric J. Katanich wrote:
>> You disable it on the host and if no host is using it, you might as well
>> disable it on the router as wel. Others mentioned
>> some routers need to handle this in software instead of hardware, which is
>> obviously s
On Aug 21, 2010, at 2:11 AM, Yann GAUTERON wrote:
>
>
> 2010/8/20 Jared Mauch
>
> Personally (and as the instigator in the ipv6/6man discussion) if the
> vendors could be trusted to expose their default settings in their
> configs, i would find a default of ON to be more acceptable. As their
Eric J. Katanich wrote:
You disable it on the host and if no host is using it, you might as well
disable it on the router as wel. Others mentioned
some routers need to handle this in software instead of hardware, which
is obviously slower.
Most redirects are limited in their rate, so it gene
2010/8/20 Jared Mauch
>
> Personally (and as the instigator in the ipv6/6man discussion) if the
> vendors could be trusted to expose their default settings in their
> configs, i would find a default of ON to be more acceptable. As their
> track-record is poor, and the harm has been realized in t
On Fri, 20 Aug 2010 21:24:43 -0400
"Ricky Beam" wrote:
> On Fri, 20 Aug 2010 20:43:39 -0400, Mark Smith
> wrote:
> > You're assuming the cost of always hair pinning traffic on an interface
> > is cheaper than issuing a redirect.
>
> I am saying no such thing. (a single redirect packet is alwa
On Fri, 20 Aug 2010, Ricky Beam wrote:
On Fri, 20 Aug 2010 20:08:34 -0400, Brandon Ross wrote:
Okay, I'll ask again. Exactly how does disabling ICMP redirects on my
router prevent traffic from being intercepted?
It stops *one vector* of MITM attack. If a router honors redirects (and it
ne
On Fri, 20 Aug 2010 20:43:39 -0400, Mark Smith
wrote:
You're assuming the cost of always hair pinning traffic on an interface
is cheaper than issuing a redirect.
I am saying no such thing. (a single redirect packet is always more
efficient.) I *am* saying ICMP redirects are a mistake that
On Fri, 20 Aug 2010 20:08:34 -0400, Brandon Ross wrote:
Okay, I'll ask again. Exactly how does disabling ICMP redirects on my
router prevent traffic from being intercepted?
It stops *one vector* of MITM attack. If a router honors redirects (and
it never should), an evil host can intercept
On 08/21/2010 02:08 AM, Brandon Ross wrote:
> On Fri, 20 Aug 2010, Ricky Beam wrote:
>
>> I think it's almost universally disabled (by default) everywhere in
>> IPv4 purely for security (traffic interception.)
>
> Okay, I'll ask again. Exactly how does disabling ICMP redirects on my
> router pre
On Fri, 20 Aug 2010 13:20:58 -0400, Christopher Morrow
wrote:
> Polling a little bit here, there's an active discussion going on
> 6...@ietf about whether or not v6 routers should:
> o be required to implement ip redirect functions (icmpv6 redirect)
> o be sending these by default
...
> In i
On Fri, 20 Aug 2010, Ricky Beam wrote:
> I think it's almost universally disabled (by default) everywhere in IPv4
> purely for security (traffic interception.)
Okay, I'll ask again. Exactly how does disabling ICMP redirects on my
router prevent traffic from being intercepted?
--
Brandon Ross
On Fri, 20 Aug 2010 18:16:35 EDT, Brandon Ross said:
> How does turning off ICMP redirects on the router prevent a rouge PC from
> sending ICMP redirects to it's neighbors?
If I know for a fact that the network is designed such that I will never ever
receive a valid ICMP redirect because there i
On Fri, 20 Aug 2010 19:49:43 -0400
"Ricky Beam" wrote:
> On Fri, 20 Aug 2010 13:20:58 -0400, Christopher Morrow
> wrote:
> > Polling a little bit here, there's an active discussion going on
> > 6...@ietf about whether or not v6 routers should:
> > o be required to implement ip redirect funct
On 08/21/2010 02:08 AM, Brandon Ross wrote:
On Fri, 20 Aug 2010, Ricky Beam wrote:
I think it's almost universally disabled (by default) everywhere in
IPv4 purely for security (traffic interception.)
Okay, I'll ask again. Exactly how does disabling ICMP redirects on my
router prevent traffi
On Fri, 20 Aug 2010 19:49:43 -0400
"Ricky Beam" wrote:
> On Fri, 20 Aug 2010 13:20:58 -0400, Christopher Morrow
> wrote:
> > Polling a little bit here, there's an active discussion going on
> > 6...@ietf about whether or not v6 routers should:
> > o be required to implement ip redirect funct
On Fri, 20 Aug 2010, Ricky Beam wrote:
I think it's almost universally disabled (by default) everywhere in IPv4
purely for security (traffic interception.)
Okay, I'll ask again. Exactly how does disabling ICMP redirects on my
router prevent traffic from being intercepted?
--
Brandon Ross
On Fri, 20 Aug 2010 13:20:58 -0400, Christopher Morrow
wrote:
Polling a little bit here, there's an active discussion going on
6...@ietf about whether or not v6 routers should:
o be required to implement ip redirect functions (icmpv6 redirect)
o be sending these by default
...
In ipv4 the
On Fri, 20 Aug 2010 18:16:35 EDT, Brandon Ross said:
> How does turning off ICMP redirects on the router prevent a rouge PC from
> sending ICMP redirects to it's neighbors?
If I know for a fact that the network is designed such that I will never ever
receive a valid ICMP redirect because there i
See below
Jared Mauch
On Aug 20, 2010, at 6:34 PM, Owen DeLong wrote:
>
> On Aug 20, 2010, at 2:54 PM, valdis.kletni...@vt.edu wrote:
>
>> On Fri, 20 Aug 2010 16:08:19 CDT, Butch Evans said:
>>
>>> Maybe I'm missing something. Can you point me to something that will
>>> help my understand W
Yea the stuff that sometimes is done in hw and sometimes in sw and causes
varying pain. You may find the discussion interesting to read if you feel
redirects are "ok" or tolerable.
If vendors can't expose their defaults they really should not be enabling these
things as it causes trouble.
I'
On Fri, 20 Aug 2010, Jared Mauch wrote:
The issue is routers typically do this in software requiring a punt and
CPU theft from bgp, ospf etc.
You mean like ICMP echo, ICMP can't fragment, ICMP unreachable...?
--
Brandon Ross AIM: BrandonNRoss
On Aug 20, 2010, at 2:54 PM, valdis.kletni...@vt.edu wrote:
> On Fri, 20 Aug 2010 16:08:19 CDT, Butch Evans said:
>
>> Maybe I'm missing something. Can you point me to something that will
>> help my understand WHY an ICMP redirect is such a huge security concern?
>> For most of the networks tha
See below
Jared Mauch
On Aug 20, 2010, at 6:16 PM, Brandon Ross wrote:
> On Fri, 20 Aug 2010, valdis.kletni...@vt.edu wrote:
>
>> Until a PC or something on the network gets pwned, and issues selective
>> forged
>> ICMP redirects to declare itself a router and the appropriate destination for
On Fri, 20 Aug 2010, valdis.kletni...@vt.edu wrote:
Until a PC or something on the network gets pwned, and issues selective forged
ICMP redirects to declare itself a router and the appropriate destination for
some traffic, which it can then MITM to its heart's content. *Then* you truly
have a ma
On Fri, 2010-08-20 at 17:54 -0400, valdis.kletni...@vt.edu wrote:
> Until a PC or something on the network gets pwned, and issues selective forged
> ICMP redirects to declare itself a router and the appropriate destination for
> some traffic, which it can then MITM to its heart's content. *Then* y
On Fri, 20 Aug 2010 16:08:19 CDT, Butch Evans said:
> Maybe I'm missing something. Can you point me to something that will
> help my understand WHY an ICMP redirect is such a huge security concern?
> For most of the networks that I manage (or help to manage), I can see no
> reason why this would
On Fri, Aug 20, 2010 at 1:40 PM, Mikael Abrahamsson wrote:
> On Fri, 20 Aug 2010, Jack Bates wrote:
>
>> Why should the ietf dictate a default on this?
>
> Because that's what the IETF does, sets a SHOULD on "best common practice"
> after discussion in the community.
>
>> Requiring implementation
On Fri, Aug 20, 2010 at 4:03 PM, Jared Mauch wrote:
>
> On Aug 20, 2010, at 3:56 PM, Butch Evans wrote:
>
>> On Fri, 2010-08-20 at 13:20 -0400, Christopher Morrow wrote:
>>> Polling a little bit here, there's an active discussion going on
>>> 6...@ietf about whether or not v6 routers should:
>>>
On Fri, 2010-08-20 at 16:03 -0400, Jared Mauch wrote:
> One of the challenges is that some vendors have a poor track-record of
> documenting these defaults. this means unless you frequently sample
> your network traffic, you may not see your device sending decnet mop
> messages, or ipv6 redirects
On Fri, Aug 20, 2010 at 4:10 PM, Owen DeLong wrote:
> Redirects in IPv6 are no worse nor better an idea than unauthenticated RAs
> for default routers with nearly identical security implications.
this answered a different question... wanna try answering the question
I posed originally? :)
-chris
Redirects in IPv6 are no worse nor better an idea than unauthenticated RAs for
default routers with nearly identical security implications.
Owen
Sent from my iPad
On Aug 20, 2010, at 10:20 AM, Christopher Morrow
wrote:
> Polling a little bit here, there's an active discussion going on
> 6..
On Aug 20, 2010, at 3:56 PM, Butch Evans wrote:
> On Fri, 2010-08-20 at 13:20 -0400, Christopher Morrow wrote:
>> Polling a little bit here, there's an active discussion going on
>> 6...@ietf about whether or not v6 routers should:
>> o be required to implement ip redirect functions (icmpv6 red
On Fri, 2010-08-20 at 13:20 -0400, Christopher Morrow wrote:
> Polling a little bit here, there's an active discussion going on
> 6...@ietf about whether or not v6 routers should:
> o be required to implement ip redirect functions (icmpv6 redirect)
> o be sending these by default
I do not cur
On Aug 21, 2010, at 12:20 AM, Christopher Morrow wrote:
> o routers are required to be able to send redirect messages
> o routers should NOT do this by default
I concur with this position from an opsec standpoint; at the same time, I don't
know that *mandating* a default configuration setting
Mikael Abrahamsson wrote:
As I stated in the 6man discussion, I prefer routers to by default not
send redirects. We do that in our configuration template.
I often turn them off, but I'm not sure why. If they aren't needed,
generally they won't be issued anyways (p2p links, router only segmen
On Fri, 20 Aug 2010, Jack Bates wrote:
Why should the ietf dictate a default on this?
Because that's what the IETF does, sets a SHOULD on "best common
practice" after discussion in the community.
Requiring implementation I could understand, but setting the default?
Should the ietf also spe
Why should the ietf dictate a default on this? Requiring implementation
I could understand, but setting the default? Should the ietf also
specify requirement of allowing configuration change of a default?
Honestly, redirects are not near the problem as icmp unreachables.
Jack
Christopher Mor
Polling a little bit here, there's an active discussion going on
6...@ietf about whether or not v6 routers should:
o be required to implement ip redirect functions (icmpv6 redirect)
o be sending these by default
Essentially 12+ years ago in RFC2461
(http://www.ietf.org/rfc/rfc2461.txt) and lat
56 matches
Mail list logo