ICMP redirect

 

This test checks that customers cannot send ICMP packets with redirect messages. ICMP redirect messages are intended to be used by the first-hop router to redirect hosts to a better router. A malicious user can send an incorrect redirect message to a client informing the client of a better path to the default gateway, using itself as the redirect target. Valid ICMP packets should be allowed and passed in the access switch.

Impact: MITM, DoS

Test process

  • Malicious and Customer each sends a valid ICMP Echo to ISP.
  • Malicious sends ICMP packets with a redirect message to Customer.

Fail criteria

  • Malicious or Customer does not receive an ICMP Echo reply from ISP.
  • The ICMP packets with redirect message arrive at Customer.

References

This test conforms to SEC Access Certification IDs "SEC-V4-REDIR-1" and "SEC-V4-REDIR-2" and to SAVI RFC 6959 sections 3.1.3 and 3.2.1.

Parameters

General

  • Malicious Customer: A customer interface performing malicious actions.
  • Customer: One or more customers that Malicious will affect.
  • ISP: A central node on a trusted port.
Have more questions? Submit a request

Comments

Powered by Zendesk