This test checks that customers cannot send ICMP packets with redirect messages. ICMP redirect messages are intended to be used by the first-hop router to redirect hosts to a better router. A malicious user can send an incorrect redirect message to a client informing the client of a better path to the default gateway, using itself as the redirect target. Valid ICMP packets should be allowed and passed in the access switch.
Impact: MITM, DoS
- Malicious and Customer each sends a valid ICMP Echo to ISP.
- Malicious sends ICMP packets with a redirect message to Customer.
- Malicious or Customer does not receive an ICMP Echo reply from ISP.
- The ICMP packets with redirect message arrive at Customer.
This test conforms to SEC Access Certification IDs "SEC-V4-REDIR-1" and "SEC-V4-REDIR-2" and to SAVI RFC 6959 sections 3.1.3 and 3.2.1.
- Malicious Customer: A customer interface performing malicious actions.
- Customer: One or more customers that Malicious will affect.
- ISP: A central node on a trusted port.