tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: ICMPv6 redirects



>>> I do understand why this is implemented this way.  But shouldn't
>>> this be tunable?
>> [..."I think so"...]
> In this case, though, there's a security issue, though arguably one
> that's not a lot more serious than Neighbor Discovery without SEND.

What's the issue?  I can't see anything wrong with this, unless the
threat model includes hostile machines in the same broadcast domain.
(Yes, there are plenty of environments where that's a necessary part of
the threat model, but there are also plenty of environments where it's
not, and I don't think it's sane to cater to the former to the extent
of making it require hacking the code to obtain certain reasonable
configurations for the latter.)

/~\ The ASCII                             Mouse
\ / Ribbon Campaign
 X  Against HTML                mouse%rodents-montreal.org@localhost
/ \ Email!           7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B


Home | Main Index | Thread Index | Old Index