Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 13 Jun 2024 13:51:02 -0700
From:      Bakul Shah <bakul@iitbombay.org>
To:        "Rodney W. Grimes" <freebsd-rwg@gndrsh.dnsmgr.net>
Cc:        Ed Maste <emaste@FreeBSD.org>, FreeBSD Net <freebsd-net@FreeBSD.org>
Subject:   Re: Discarding inbound ICMP REDIRECT by default
Message-ID:  <BB772A69-7AED-4511-86E8-4FCC4886F7B1@iitbombay.org>
In-Reply-To: <202406131339.45DDdDma044779@gndrsh.dnsmgr.net>
References:  <202406131339.45DDdDma044779@gndrsh.dnsmgr.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Jun 13, 2024, at 6:39=E2=80=AFAM, Rodney W. Grimes =
<freebsd-rwg@gndrsh.dnsmgr.net> wrote:
>=20
>> I propose that we start dropping inbound ICMP REDIRECTs by default, =
by
>> setting the net.inet.icmp.drop_redirect sysctl to 1 by default (and
>> changing the associated rc.conf machinery). I've opened a Phabricator
>> review at https://reviews.freebsd.org/D45102.
>>=20
>> ICMP REDIRECTs served a useful purpose in earlier networks, but on
>> balance are more likely to represent a security issue today than to
>> provide a routing benefit. With the change in review it is of course
>> still possible to enable them if desired for a given installation.
>> This change would appear in FreeBSD 15.0 and would not be MFC'd.
>>=20
>> One question raised in the review is about switching the default to
>> YES but keeping the special handling for "auto" (dropping ICMP
>> REDIRECT if a routing daemon is in use, honouring them if not). I
>> don't think this is particularly valuable given that auto was
>> introduced to override the default NO when necessary; there's no need
>> for it with the default being YES. That functionality could be
>> maintained if there is a compelling use case, though.
>>=20
>> If you have any questions or feedback please follow up here or in the =
review.
>=20
> Discarding ICMP redirects on a internet host is non-conformant with
> STD-3 via rfc-1122.  Processing of ICMP rediects is a MUST for hosts.

Back when we did a router startup, I carefully read significant portions
of rfc1122 + rfc1812 several times over. Rodney is 100% right here but
the larger issue is following relevant standards or RFCs. Anyone
contemplating such changes should become intimately familiar with these
two documents (+ any update RFCs). [Not to mention there should be tests
checking conformance]=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BB772A69-7AED-4511-86E8-4FCC4886F7B1>