[ previous ] [ next ] [ threads ]
 
 From:  Fred Wright <fw at well dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] PPTP tunnel setup
 Date:  Wed, 9 Feb 2005 18:52:11 -0800 (PST)
On Tue, 8 Feb 2005, Chris Buechler wrote:
> On Tue, 8 Feb 2005 13:30:01 -0800 (PST), Fred Wright <fw at well dot com> wrote:
> > 
> > 
> > Yes, and not only is a route on the default gateway alone usually
> > *suf*ficent, but also it's *ef*ficient if the gateway generates ICMP
> > Redirects and they're honored by the clients.

> Efficient, absolutely.  Secure?  Depends on how much you can trust
> your LAN.  As with many TCP/IP features, this is a good thing from a
> performance and functionality standpoint, but bad from a security
> standpoint.  This can be abused by any system on your LAN to basically
> manipulate your routing table at will.  Most likely for the purpose of
> playing man in the middle or sniffing your connections.

Not so easily.  In order for an ICMP Redirect to be honored, it has to
meet a few conditions:

1) The embedded "offending" packet must be something that was plausibly
sent recently by the target.

2) The ICMP must originate from the IP address which is the target's
current next-hop router address (which is by definition
directly-connected) for the destination in question.

3) The new router address must lie in the same subnet as the old.

> Of course even if you disable ICMP redirects, there are other means to
> the same end, like ARP poisoning for one, and more measures to protect
> against those.

Other means which are much more easily exploited.

> My point, I suppose, is don't allow your hosts to obey ICMP redirects
> if you have good reason to be paranoid about other machines on your
> LAN.  :)

If your LAN is "hostile", then the only way to be secure is to partition
it via a filtering router or bridge.  In that case, the filter can easily
arrange to block Redirects.  If your LAN is "friendly" anough to trust
ordinary switches and hubs, the ICMP Redirect is the least of your
worries.  In neither case is it necessary to disable it on the hosts.

Note that a corollary to condition #2 above is that it's never useful to
*forward* ICMP Redirects.  It's also rarely useful for a router to *honor*
Redirects, since it's rarely the *originator* of the "offending" traffic.
Hence, in most cases, it would be acceptable and desirable for a router to
block all incoming (in the interface-relative sense) Redirects, while
permitting its own outgoing Redirects.

Unfortunately, IPFilter's stateful filtering makes it impossible to block
properly-constructed Redirects, since ICMP errors matching established
state entries are passed regardless of rules.  A cheap fix would be to
remove the Redirect case from the list of ICMP error types that are
allowed through by state matches.  This would still permit explicit pass
rules where needed.  It wouldn't be a desirable unconditional source
change, though, since the present behavior is appropriate for a host.

					Fred Wright