Go to main content

Securing the Network in Oracle® Solaris 11.3

Exit Print View

Updated: September 2018
 
 

How to Prevent ICMP Redirects

Routers use ICMP redirect messages to inform hosts of more direct routes to a destination. An illicit ICMP redirect message could result in a man-in-the-middle attack.

Before You Begin

You must become an administrator who is assigned the Network Management rights profile. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

  1. Set the ignore redirects property to 1 for IP packets, then verify the current value.

    ICMP redirect messages modify the host's route table and are unauthenticated. Additionally, the processing of redirected packets increases CPU demands on systems.

    # ipadm set-prop -p _ignore_redirect=1 ipv4
    # ipadm set-prop -p _ignore_redirect=1 ipv6
    # ipadm show-prop -p _ignore_redirect ipv4
    PROTO  PROPERTY         PERM CURRENT   PERSISTENT   DEFAULT   POSSIBLE
    ipv4  _ignore_redirect  rw   1         1            0         0,1
    # ipadm show-prop -p _ignore_redirect ipv6
    PROTO  PROPERTY         PERM CURRENT   PERSISTENT   DEFAULT   POSSIBLE
    ipv6  _ignore_redirect  rw   1         1            0         0,1
  2. Prevent sending ICMP redirect messages.

    These messages include information from the route table that could reveal part of the network topology.

    # ipadm set-prop -p send_redirects=off ipv4
    # ipadm set-prop -p send_redirects=off ipv6
    # ipadm show-prop -p send_redirects ipv4
    PROTO PROPERTY          PERM CURRENT  PERSISTENT   DEFAULT  POSSIBLE
    ipv4  send_redirects    rw   off      off          on       on,off
    
    # ipadm show-prop -p send_redirects ipv6
    PROTO  PROPERTY        PERM CURRENT   PERSISTENT   DEFAULT  POSSIBLE
    ipv6  send_redirects   rw   off       off          on       on,off

    For more information, see send_redirects (IPv4 or IPv6) in Oracle Solaris 11.3 Tunable Parameters Reference Manual and the ipadm(1M) man page.