I propose that we start dropping inbound ICMP REDIRECTs by default, by
setting the net.inet.icmp.drop_redirect sysctl to 1 by default (and
changing the associated rc.conf machinery). I've opened a Phabricator
review at https://reviews.freebsd.org/D45102.
ICMP REDIRECTs served a useful purpose in e
W dniu 7.05.2024 o 20:12, Ed Maste pisze:
I propose that we start dropping inbound ICMP REDIRECTs by default, by
setting the net.inet.icmp.drop_redirect sysctl to 1 by default (and
changing the associated rc.conf machinery). I've opened a Phabricator
review at https://reviews.freebsd.org/D45102.
On Tue, 7 May 2024 at 14:35, Marek Zarychta
wrote:
>
> But what about IPv6 ? We have "net.inet6.icmp6.rediraccept" knob which
> defaults to 1. Can ICMPv6 redirects be fixed along with the change
> proposed for the legacy IP protocol?
It may make sense to apply the same default change for IPv6, bu
> I propose that we start dropping inbound ICMP REDIRECTs by default, by
> setting the net.inet.icmp.drop_redirect sysctl to 1 by default (and
> changing the associated rc.conf machinery). I've opened a Phabricator
> review at https://reviews.freebsd.org/D45102.
I propse that we NOT do this. If y
On 2024-06-12 14:47, Rodney W. Grimes wrote:
I propose that we start dropping inbound ICMP REDIRECTs by default, by
setting the net.inet.icmp.drop_redirect sysctl to 1 by default (and
changing the associated rc.conf machinery). I've opened a Phabricator
review at https://reviews.freebsd.org/D4510
On 2024-06-12 15:05, Chris wrote:
On 2024-06-12 14:47, Rodney W. Grimes wrote:
I propose that we start dropping inbound ICMP REDIRECTs by default, by
setting the net.inet.icmp.drop_redirect sysctl to 1 by default (and
changing the associated rc.conf machinery). I've opened a Phabricator
review a
> On 2024-06-12 15:05, Chris wrote:
> > On 2024-06-12 14:47, Rodney W. Grimes wrote:
> >>> I propose that we start dropping inbound ICMP REDIRECTs by default, by
> >>> setting the net.inet.icmp.drop_redirect sysctl to 1 by default (and
> >>> changing the associated rc.conf machinery). I've opened a
> I propose that we start dropping inbound ICMP REDIRECTs by default, by
> setting the net.inet.icmp.drop_redirect sysctl to 1 by default (and
> changing the associated rc.conf machinery). I've opened a Phabricator
> review at https://reviews.freebsd.org/D45102.
>
> ICMP REDIRECTs served a useful
On Thu, 13 Jun 2024 at 09:39, Rodney W. Grimes
wrote:
>
> Discarding ICMP redirects on a internet host is non-conformant with
> STD-3 via rfc-1122. Processing of ICMP rediects is a MUST for hosts.
In that case our default of "auto" is non-conformant if you have a
routing daemon.
On 2024-06-13 06:34, Rodney W. Grimes wrote:
On 2024-06-12 15:05, Chris wrote:
> On 2024-06-12 14:47, Rodney W. Grimes wrote:
>>> I propose that we start dropping inbound ICMP REDIRECTs by default, by
>>> setting the net.inet.icmp.drop_redirect sysctl to 1 by default (and
>>> changing the associa
On 2024-06-13 06:34, Rodney W. Grimes wrote:
On 2024-06-12 15:05, Chris wrote:
> On 2024-06-12 14:47, Rodney W. Grimes wrote:
>>> I propose that we start dropping inbound ICMP REDIRECTs by default, by
>>> setting the net.inet.icmp.drop_redirect sysctl to 1 by default (and
>>> changing the associa
[ Charset UTF-8 unsupported, converting... ]
> On Thu, 13 Jun 2024 at 09:39, Rodney W. Grimes
> wrote:
> >
> > Discarding ICMP redirects on a internet host is non-conformant with
> > STD-3 via rfc-1122. Processing of ICMP rediects is a MUST for hosts.
>
> In that case our default of "auto" is no
On 2024-06-13 06:34, Rodney W. Grimes wrote:
On 2024-06-12 15:05, Chris wrote:
> On 2024-06-12 14:47, Rodney W. Grimes wrote:
>>> I propose that we start dropping inbound ICMP REDIRECTs by default, by
>>> setting the net.inet.icmp.drop_redirect sysctl to 1 by default (and
>>> changing the associa
On Jun 13, 2024, at 6:39 AM, Rodney W. Grimes
wrote:
>
>> I propose that we start dropping inbound ICMP REDIRECTs by default, by
>> setting the net.inet.icmp.drop_redirect sysctl to 1 by default (and
>> changing the associated rc.conf machinery). I've opened a Phabricator
>> review at https://re
On 2024-06-13 06:34, Rodney W. Grimes wrote:
On 2024-06-12 15:05, Chris wrote:
> On 2024-06-12 14:47, Rodney W. Grimes wrote:
>>> I propose that we start dropping inbound ICMP REDIRECTs by default, by
>>> setting the net.inet.icmp.drop_redirect sysctl to 1 by default (and
>>> changing the associa
On 2024-06-13 06:34, Rodney W. Grimes wrote:
On 2024-06-12 15:05, Chris wrote:
> On 2024-06-12 14:47, Rodney W. Grimes wrote:
>>> I propose that we start dropping inbound ICMP REDIRECTs by default, by
>>> setting the net.inet.icmp.drop_redirect sysctl to 1 by default (and
>>> changing the associa
On 2024-06-13 06:34, Rodney W. Grimes wrote:
On 2024-06-12 15:05, Chris wrote:
> On 2024-06-12 14:47, Rodney W. Grimes wrote:
>>> I propose that we start dropping inbound ICMP REDIRECTs by default, by
>>> setting the net.inet.icmp.drop_redirect sysctl to 1 by default (and
>>> changing the associa
> > > Discarding ICMP redirects on a internet host is non-conformant with
> > > STD-3 via rfc-1122. Processing of ICMP rediects is a MUST for hosts.
> >
> > In that case our default of "auto" is non-conformant if you have a
> > routing daemon.
>
> NO, because then your not subject to rfc-1122 as y
On Wed, 12 Jun 2024 at 18:05, Chris wrote:
>
> As Rodeney already effectively explains; dropping packets makes routing,
> and discovery exceedingly difficult. Which is NOT what the average user
> wants,
This is on end hosts only, not routers (which already drop ICMP REDIRECT).
> or expects. I us
> On Wed, 12 Jun 2024 at 18:05, Chris wrote:
> >
> > As Rodeney already effectively explains; dropping packets makes routing,
> > and discovery exceedingly difficult. Which is NOT what the average user
> > wants,
>
> This is on end hosts only, not routers (which already drop ICMP REDIRECT).
Prob
> > > > Discarding ICMP redirects on a internet host is non-conformant with
> > > > STD-3 via rfc-1122. Processing of ICMP rediects is a MUST for hosts.
> > >
> > > In that case our default of "auto" is non-conformant if you have a
> > > routing daemon.
> >
> > NO, because then your not subject to
On Fri, 14 Jun 2024 at 09:52, Rodney W. Grimes
wrote:
> >
> > I would argue that having IP forwarding enabled (i.e.
> > net.inet.ip.forwarding for IPv4) is what establishes FreeBSD as a
> > router, and ICMP REDIRECT messages are already dropped in kernel in
> > that case.
>
> Yet another mistake b
On Fri, 14 Jun 2024 at 09:57, Rodney W. Grimes
wrote:
>
> I am not sure that it would "hang" the port, but by ignoring the
> rediect your going to place additional burden on the router that
> is trying to redirect you as all packets would have to be forwarded
> by that router. I suppose it could
> On Fri, 14 Jun 2024 at 09:52, Rodney W. Grimes
> wrote:
> > >
> > > I would argue that having IP forwarding enabled (i.e.
> > > net.inet.ip.forwarding for IPv4) is what establishes FreeBSD as a
> > > router, and ICMP REDIRECT messages are already dropped in kernel in
> > > that case.
> >
> > Yet
W dniu 8.05.2024 o 21:14, Ed Maste pisze:
It may make sense to apply the same default change for IPv6, but I
don't think we need to tie the two discussions / investigations
together.
IMHO it is important to link ICMP6 with ICMP in terms of ICMP
redirection. I have the impression that we are ne
On Fri, 14 Jun 2024 at 11:13, Rodney W. Grimes
wrote:
>
> That section is about how the router responds to an ICMP redirect
> set to IT, not one that is going THROUGH it.
Sorry I wasn't explicit, in all cases I'm talking about ICMP REDIRECTs
destined for the machine (as a host or as a router). Th
> On Fri, 14 Jun 2024 at 11:13, Rodney W. Grimes
> wrote:
> >
> > That section is about how the router responds to an ICMP redirect
> > set to IT, not one that is going THROUGH it.
>
> Sorry I wasn't explicit, in all cases I'm talking about ICMP REDIRECTs
> destined for the machine (as a host or
On 2024-06-14 05:50, Ed Maste wrote:
On Wed, 12 Jun 2024 at 18:05, Chris wrote:
As Rodeney already effectively explains; dropping packets makes routing,
and discovery exceedingly difficult. Which is NOT what the average user
wants,
This is on end hosts only, not routers (which already drop I
28 matches
Mail list logo
