[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: ICMPv6 redirects
On Mon, 7 Sep 2009 20:25:41 -0400 (EDT)
der Mouse <mouse%Rodents-Montreal.ORG@localhost> wrote:
> >>> I do understand why this is implemented this way. But shouldn't
> >>> this be tunable?
> >> [..."I think so"...]
> > In this case, though, there's a security issue, though arguably one
> > that's not a lot more serious than Neighbor Discovery without SEND.
> What's the issue? I can't see anything wrong with this, unless the
> threat model includes hostile machines in the same broadcast domain.
> (Yes, there are plenty of environments where that's a necessary part
> of the threat model, but there are also plenty of environments where
> it's not, and I don't think it's sane to cater to the former to the
> extent of making it require hacking the code to obtain certain
> reasonable configurations for the latter.)
A local machine may be hostile if it's been hacked. Also note that the
straight-forward change -- permitting the redirect from anywhere --
creates a very serious DoS potential. I'd be much more comfortable
with a knob permitting redirects from link-local addresses, though
again there's the hacked machine problem.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
Main Index |
Thread Index |