From nobody Tue May  7 18:12:11 2024
X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VYmbt6J9rz5JMhW
	for <freebsd-net@mlmmj.nyi.freebsd.org>; Tue, 07 May 2024 18:13:14 +0000 (UTC)
	(envelope-from carpeddiem@gmail.com)
Received: from mail-lf1-f44.google.com (mail-lf1-f44.google.com [209.85.167.44])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4VYmbt2SMSz4lqw
	for <freebsd-net@freebsd.org>; Tue,  7 May 2024 18:13:14 +0000 (UTC)
	(envelope-from carpeddiem@gmail.com)
Authentication-Results: mx1.freebsd.org;
	dkim=none;
	dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=freebsd.org (policy=none);
	spf=pass (mx1.freebsd.org: domain of carpeddiem@gmail.com designates 209.85.167.44 as permitted sender) smtp.mailfrom=carpeddiem@gmail.com
Received: by mail-lf1-f44.google.com with SMTP id 2adb3069b0e04-51f57713684so4363344e87.1
        for <freebsd-net@freebsd.org>; Tue, 07 May 2024 11:13:14 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1715105592; x=1715710392;
        h=to:subject:message-id:date:from:mime-version:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=6wUrcIioZ37Wzu6wS+u/jM1fWzJT+bQLWuNmttQyGrk=;
        b=rX4SzZ0FTBi5lFM6ChfCUA1obU7FE7WDVYzMqURUKCiHD3YSlyu84iY1vPHDjLv733
         lnWPedq8oFBHAmV29o5dxeFi54tvRwkIa9dy0KhjFeDpUXSVvhzkyRnIFuIJ/Gd4ObNh
         GAKY5wFe+w8cM4eP5NvdjS3zRYWXbimghB1ShUceNP5DQorIz8bR+xVm3D5n3rSvJ7Vh
         E6HCYBFzPMTapGwvC1tkeNGHIzksOFuwGQYL0ajw5suK9+Xf9635kuqQPRzoOlFiYAWH
         U4P+xyrg4N3jdYa3no+3OXnMpvTLa/E4hV8Vpi9qbdM2axPXNgGxQva0rjfAcQh1TO5t
         wOrA==
X-Gm-Message-State: AOJu0YyyrLjJtMcGELDT+WPTAlwWA4zcVsI80kFZytYC3qEMkKS+q3eH
	zvREJ4sFY+XKt4yVdcTEUt0chTvPxf/Y5TFj92q30QKfMbryuE35kBfasjDmXGYZmdxNwF2xMUN
	DCWxkmgTZ2iGtzZSZBcf3HneRNkIVKcT9
X-Google-Smtp-Source: AGHT+IGkTrL1+93SPkKwdPNwZEd4hO4iNLRD+tFV4iT1nq2LcZYWmeFRHNHKcfvyC9JkS5Cdzbz/nVhInyhu6Brdsik=
X-Received: by 2002:a19:f807:0:b0:51f:b781:7297 with SMTP id
 2adb3069b0e04-5217c276e2dmr198341e87.8.1715105592162; Tue, 07 May 2024
 11:13:12 -0700 (PDT)
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-net
List-Help: <mailto:freebsd-net+help@freebsd.org>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Subscribe: <mailto:freebsd-net+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-net+unsubscribe@freebsd.org>
Sender: owner-freebsd-net@FreeBSD.org
MIME-Version: 1.0
From: Ed Maste <emaste@freebsd.org>
Date: Tue, 7 May 2024 14:12:11 -0400
Message-ID: <CAPyFy2CKZFf6QF1j-kWPG+3yetjNSszdCnJF=T6-hPmozheYYw@mail.gmail.com>
Subject: Discarding inbound ICMP REDIRECT by default
To: freebsd-net@freebsd.org
Content-Type: text/plain; charset="UTF-8"
X-Spamd-Bar: --
X-Spamd-Result: default: False [-2.90 / 15.00];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-1.00)[-0.996];
	FORGED_SENDER(0.30)[emaste@freebsd.org,carpeddiem@gmail.com];
	R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17:c];
	MIME_GOOD(-0.10)[text/plain];
	DMARC_POLICY_SOFTFAIL(0.10)[freebsd.org : SPF not aligned (relaxed), No valid DKIM,none];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	RCVD_TLS_LAST(0.00)[];
	FROM_HAS_DN(0.00)[];
	RCPT_COUNT_ONE(0.00)[1];
	MISSING_XM_UA(0.00)[];
	MIME_TRACE(0.00)[0:+];
	ARC_NA(0.00)[];
	RCVD_COUNT_ONE(0.00)[1];
	ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US];
	FREEMAIL_ENVFROM(0.00)[gmail.com];
	PREVIOUSLY_DELIVERED(0.00)[freebsd-net@freebsd.org];
	TO_DN_NONE(0.00)[];
	FROM_NEQ_ENVFROM(0.00)[emaste@freebsd.org,carpeddiem@gmail.com];
	FREEFALL_USER(0.00)[carpeddiem];
	MLMMJ_DEST(0.00)[freebsd-net@freebsd.org];
	TO_DOM_EQ_FROM_DOM(0.00)[];
	R_DKIM_NA(0.00)[];
	RWL_MAILSPIKE_POSSIBLE(0.00)[209.85.167.44:from];
	RCVD_IN_DNSWL_NONE(0.00)[209.85.167.44:from]
X-Rspamd-Queue-Id: 4VYmbt2SMSz4lqw

I propose that we start dropping inbound ICMP REDIRECTs by default, by
setting the net.inet.icmp.drop_redirect sysctl to 1 by default (and
changing the associated rc.conf machinery). I've opened a Phabricator
review at https://reviews.freebsd.org/D45102.

ICMP REDIRECTs served a useful purpose in earlier networks, but on
balance are more likely to represent a security issue today than to
provide a routing benefit. With the change in review it is of course
still possible to enable them if desired for a given installation.
This change would appear in FreeBSD 15.0 and would not be MFC'd.

One question raised in the review is about switching the default to
YES but keeping the special handling for "auto" (dropping ICMP
REDIRECT if a routing daemon is in use, honouring them if not). I
don't think this is particularly valuable given that auto was
introduced to override the default NO when necessary; there's no need
for it with the default being YES. That functionality could be
maintained if there is a compelling use case, though.

If you have any questions or feedback please follow up here or in the review.