From owner-freebsd-questions@FreeBSD.ORG  Sun Sep 18 21:05:39 2011
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 79826106564A
	for <questions@freebsd.org>; Sun, 18 Sep 2011 21:05:39 +0000 (UTC)
	(envelope-from brett@lariat.net)
Received: from lariat.net (lariat.net [66.62.230.51])
	by mx1.freebsd.org (Postfix) with ESMTP id 33D908FC12
	for <questions@freebsd.org>; Sun, 18 Sep 2011 21:05:38 +0000 (UTC)
Received: from WildRover.lariat.net (IDENT:ppp1000.lariat.net@lariat.net
	[66.119.58.2] (may be forged))
	by lariat.net (8.9.3/8.9.3) with ESMTP id PAA01205;
	Sun, 18 Sep 2011 15:05:34 -0600 (MDT)
Message-Id: <201109182105.PAA01205@lariat.net>
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Sun, 18 Sep 2011 15:05:31 -0600
To: "Brian Seklecki (Mobile)" <lavalamp@probikesllc.com>
From: Brett Glass <brett@lariat.net>
In-Reply-To: <alpine.BSF.2.00.1109180054170.45497@vger.digitalfreaks.org
 >
References: <201109180353.VAA25649@lariat.net>
	<alpine.BSF.2.00.1109180054170.45497@vger.digitalfreaks.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Cc: questions@freebsd.org
Subject: Re: ICMP redirects and FreeBSD
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Sep 2011 21:05:39 -0000

At 11:06 PM 9/17/2011, Brian Seklecki (Mobile) wrote:

>Only a few unsound routing/network topology configurations really 
>depend on redirects these days; They can't be trusted because they 
>can't be authenticated?  ~BAS

There's no cryptologically sound authentication, true, but there 
isn't for proxy ARP either (and that's one of the other options 
that I'd rather not use). Redirects do have the advantage that they 
can be firewalled, so that they will not be allowed to originate 
outside the network and will only be accepted from certain trusted 
hosts within it. If the firewall rules are correct, an outside 
attacker can't spoof redirects.

My interest in this is that I am trying to figure out the best way 
to manage a routed corporate network with rapidly changing topology 
and frequent assignments and reassignments of addresses and address 
blocks. RIP is a disastrous mess and very chatty. But allowing a 
gateway to tell routers "below" it in the network hierarchy about 
one another's address assignments via ICMP redirects is very 
efficient and manageable. It means that only the gateway's routing 
table must be updated to do an address assignment. What's more, 
there's virtually zero propagation time and no flapping.

The problem seems to be that RFC 1821 ignores this use of ICMP 
redirects. It recommends not allowing any router to accept ICMP 
redirects, and this appears to have been hard coded into FreeBSD's 
network stack.

--Brett Glass