From nobody Fri Jun 14 14:51:03 2024 X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4W12KK01ztz5P03J for ; Fri, 14 Jun 2024 14:51:17 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: from mail-io1-f49.google.com (mail-io1-f49.google.com [209.85.166.49]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4W12KJ5QjFz4cct for ; Fri, 14 Jun 2024 14:51:16 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Authentication-Results: mx1.freebsd.org; none Received: by mail-io1-f49.google.com with SMTP id ca18e2360f4ac-7eb5dd9f994so90085539f.2 for ; Fri, 14 Jun 2024 07:51:16 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718376675; x=1718981475; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=iPSByvDF/rLsziWPvBkuQrPjYfUvlYuHMffQxpU0WHk=; b=bWwjYZU7h5DuyI666V0n/0+gdWE75DIR8COfsM13PH41WtRgE9t0GysVw8CTVt9Gs0 FxeBRNm4zVDAd4VhEqxbD26PnaRvQoCEjPg4ZVuhA/fUTXuHpayhSZ7e+ikPuYUnqflJ qUGYke0heY9cmiovjAKxhQFTKQ8o8I8lHuYO0Sn/vS7R7rVewXcQBXTD/mrYBqiFdIkp KqVxf7NVLoAStJAnPn339fBEotAP7/uPvaS5EW+6x65GZLlI7B74wQ8aw8hdSW3Jmkfl jTWXsbFjgrsG1l4y8bsgrnIEbUHXku3QFh5PkMSQWMKwi21zSxOswZqKZPwayW70QMlD tmTg== X-Gm-Message-State: AOJu0YxaVJi6T1H9KFSCwzR7Xag6gjEIX0cg6mH59B7qnC3PeJooK+tS WJ7QqvA7uPfHSqGeSvwm00054qwnk5w53KRhRVbfNlRJxbTfQqOTlC1AVCyhm1KG+iU0jgn7KHb lYmdjvddLX+rsXgUU57Ui3R0ygEnDP8Ua X-Google-Smtp-Source: AGHT+IFG7AJRkc+JMn3k6xTh5aEJMG/4DXdlITJYq6sRNKk53MVU2GvisCV10TPOscLyW4AyNI6es9Bdf6jXm2OrKjs= X-Received: by 2002:a05:6602:13c2:b0:7eb:b592:6add with SMTP id ca18e2360f4ac-7ebeb637e9emr255551339f.20.1718376675405; Fri, 14 Jun 2024 07:51:15 -0700 (PDT) List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@FreeBSD.org MIME-Version: 1.0 References: <202406141352.45EDqfjx049399@gndrsh.dnsmgr.net> In-Reply-To: <202406141352.45EDqfjx049399@gndrsh.dnsmgr.net> From: Ed Maste Date: Fri, 14 Jun 2024 10:51:03 -0400 Message-ID: Subject: Re: Discarding inbound ICMP REDIRECT by default To: "Rodney W. Grimes" Cc: freebsd-net@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US] X-Rspamd-Queue-Id: 4W12KJ5QjFz4cct On Fri, 14 Jun 2024 at 09:52, Rodney W. Grimes wrote: > > > > I would argue that having IP forwarding enabled (i.e. > > net.inet.ip.forwarding for IPv4) is what establishes FreeBSD as a > > router, and ICMP REDIRECT messages are already dropped in kernel in > > that case. > > Yet another mistake by FreeBSD. These ICMP dropping or not dropping > are SITE SPECIFIC POLICIES, and should never be hard coded to wrong > knobs. This change dates to 2004: commit 87c3bd275523515dc67444b900a8f1d39ae257cd Author: Andre Oppermann Date: Tue Jan 6 23:20:07 2004 +0000 According to RFC1812 we have to ignore ICMP redirects when we are acting as router (ipforwarding enabled). This doesn't fix the problem that host routes from ICMP redirects are never removed from the kernel routing table but removes the problem for machines doing packet forwarding. RFC1812 is not quite that explicit, but: | A router using a routing protocol (other than static routes) MUST NOT | consider paths learned from ICMP Redirects when forwarding a packet. | If a router is not using a routing protocol, a router MAY have a | configuration that, if set, allows the router to consider routes | learned through ICMP Redirects when forwarding packets.