Routers use ICMP redirect messages to inform hosts of more direct routes to a destination. An illicit ICMP redirect message could result in a man-in-the-middle attack.
Before You Begin
You must become an administrator who is assigned the Network Management rights profile. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.
ICMP redirect messages modify the host's route table and are unauthenticated. Additionally, the processing of redirected packets increases CPU demands on systems.
# ipadm set-prop -p _ignore_redirect=1 ipv4 # ipadm set-prop -p _ignore_redirect=1 ipv6 # ipadm show-prop -p _ignore_redirect ipv4 PROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLE ipv4 _ignore_redirect rw 1 1 0 0,1 # ipadm show-prop -p _ignore_redirect ipv6 PROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLE ipv6 _ignore_redirect rw 1 1 0 0,1
These messages include information from the route table that could reveal part of the network topology.
# ipadm set-prop -p send-redirects=off ipv4 # ipadm set-prop -p send-redirects=off ipv6 # ipadm show-prop -p send-redirects ipv4 PROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLE ipv4 send-redirects rw off off on on,off # ipadm show-prop -p send-redirects ipv6 PROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLE ipv6 send-redirects rw off off on on,off
For more information, see send-redirects Parameter (IPv4 or IPv6) in Oracle Solaris 11.4 Tunable Parameters Reference Manual and the ipadm(8) man page.