tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: ICMPv6 redirects

On Mon, 7 Sep 2009 20:25:41 -0400 (EDT)
der Mouse <mouse%Rodents-Montreal.ORG@localhost> wrote:

> >>> I do understand why this is implemented this way.  But shouldn't
> >>> this be tunable?
> >> [..."I think so"...]
> > In this case, though, there's a security issue, though arguably one
> > that's not a lot more serious than Neighbor Discovery without SEND.
> What's the issue?  I can't see anything wrong with this, unless the
> threat model includes hostile machines in the same broadcast domain.
> (Yes, there are plenty of environments where that's a necessary part
> of the threat model, but there are also plenty of environments where
> it's not, and I don't think it's sane to cater to the former to the
> extent of making it require hacking the code to obtain certain
> reasonable configurations for the latter.)
A local machine may be hostile if it's been hacked.  Also note that the
straight-forward change -- permitting the redirect from anywhere --
creates a very serious DoS potential.  I'd be much more comfortable
with a knob permitting redirects from link-local addresses, though
again there's the hacked machine problem.

                --Steve Bellovin,

Home | Main Index | Thread Index | Old Index