Re: ICMPv6 redirects

To: der Mouse <mouse%Rodents-Montreal.ORG@localhost>
Subject: Re: ICMPv6 redirects
From: "Steven M. Bellovin" <smb%cs.columbia.edu@localhost>
Date: Mon, 7 Sep 2009 20:52:22 -0400

On Mon, 7 Sep 2009 20:25:41 -0400 (EDT)
der Mouse <mouse%Rodents-Montreal.ORG@localhost> wrote:

> >>> I do understand why this is implemented this way.  But shouldn't
> >>> this be tunable?
> >> [..."I think so"...]
> > In this case, though, there's a security issue, though arguably one
> > that's not a lot more serious than Neighbor Discovery without SEND.
> 
> What's the issue?  I can't see anything wrong with this, unless the
> threat model includes hostile machines in the same broadcast domain.
> (Yes, there are plenty of environments where that's a necessary part
> of the threat model, but there are also plenty of environments where
> it's not, and I don't think it's sane to cater to the former to the
> extent of making it require hacking the code to obtain certain
> reasonable configurations for the latter.)
> 
A local machine may be hostile if it's been hacked.  Also note that the
straight-forward change -- permitting the redirect from anywhere --
creates a very serious DoS potential.  I'd be much more comfortable
with a knob permitting redirects from link-local addresses, though
again there's the hacked machine problem.


                --Steve Bellovin, http://www.cs.columbia.edu/~smb

References:
- ICMPv6 redirects
  - From: Jonathan A. Kollasch
- Re: ICMPv6 redirects
  - From: der Mouse
- Re: ICMPv6 redirects
  - From: Steven M. Bellovin
- Re: ICMPv6 redirects
  - From: der Mouse

Prev by Date: Re: ICMPv6 redirects
Next by Date: PROPSAL: import Apple's mDNSResponder
Previous by Thread: Re: ICMPv6 redirects
Next by Thread: PROPSAL: import Apple's mDNSResponder
Indexes:

Home | Main Index | Thread Index | Old Index