From nobody Fri Jun 14 15:13:20 2024 X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4W12pv3QShz5P23t for ; Fri, 14 Jun 2024 15:13:27 +0000 (UTC) (envelope-from freebsd-rwg@gndrsh.dnsmgr.net) Received: from gndrsh.dnsmgr.net (pdx.rh.CN85.dnsmgr.net [65.75.216.6]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4W12pv1yRRz4hWN; Fri, 14 Jun 2024 15:13:27 +0000 (UTC) (envelope-from freebsd-rwg@gndrsh.dnsmgr.net) Authentication-Results: mx1.freebsd.org; none Received: from gndrsh.dnsmgr.net (localhost [127.0.0.1]) by gndrsh.dnsmgr.net (8.13.3/8.13.3) with ESMTP id 45EFDKW7049692; Fri, 14 Jun 2024 08:13:20 -0700 (PDT) (envelope-from freebsd-rwg@gndrsh.dnsmgr.net) Received: (from freebsd-rwg@localhost) by gndrsh.dnsmgr.net (8.13.3/8.13.3/Submit) id 45EFDKKF049691; Fri, 14 Jun 2024 08:13:20 -0700 (PDT) (envelope-from freebsd-rwg) From: "Rodney W. Grimes" Message-Id: <202406141513.45EFDKKF049691@gndrsh.dnsmgr.net> Subject: Re: Discarding inbound ICMP REDIRECT by default In-Reply-To: To: Ed Maste Date: Fri, 14 Jun 2024 08:13:20 -0700 (PDT) CC: "Rodney W. Grimes" , freebsd-net@FreeBSD.org X-Mailer: ELM [version 2.4ME+ PL121h (25)] List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@FreeBSD.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:10494, ipnet:65.75.216.0/23, country:US] X-Rspamd-Queue-Id: 4W12pv1yRRz4hWN > On Fri, 14 Jun 2024 at 09:52, Rodney W. Grimes > wrote: > > > > > > I would argue that having IP forwarding enabled (i.e. > > > net.inet.ip.forwarding for IPv4) is what establishes FreeBSD as a > > > router, and ICMP REDIRECT messages are already dropped in kernel in > > > that case. > > > > Yet another mistake by FreeBSD. These ICMP dropping or not dropping > > are SITE SPECIFIC POLICIES, and should never be hard coded to wrong > > knobs. > > This change dates to 2004: > > commit 87c3bd275523515dc67444b900a8f1d39ae257cd > Author: Andre Oppermann > Date: Tue Jan 6 23:20:07 2004 +0000 > > According to RFC1812 we have to ignore ICMP redirects when we ^^^^^^^^^^ Incorrect interpretation of ietf keyword "MAY". > are acting as router (ipforwarding enabled). > > This doesn't fix the problem that host routes from ICMP redirects > are never removed from the kernel routing table but removes the > problem for machines doing packet forwarding. > > RFC1812 is not quite that explicit, but: > > | A router using a routing protocol (other than static routes) MUST NOT > | consider paths learned from ICMP Redirects when forwarding a packet. > | If a router is not using a routing protocol, a router MAY have a > | configuration that, if set, allows the router to consider routes > | learned through ICMP Redirects when forwarding packets. That section is about how the router responds to an ICMP redirect set to IT, not one that is going THROUGH it. 5.2.7.2 about generating redirects is also not relavant here, as we are discussing forwarding redirects. As far as I can find RFC1812 does NOT discuss the issue of forwarind ICMP REDIRECTs. -- Rod Grimes rgrimes@freebsd.org