aboutsummaryrefslogtreecommitdiffstats
path: root/releasenotes/notes/disable-kernel-parameter-for-icmp-redirects-f325f91d71b58b5f.yaml
blob: 0f226a847b30ed31e751194e430de19454b0edb7 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
---
upgrade:
  - The net.ipv4.conf.default.send_redirects & net.ipv4.conf.all.send_redirects
    are now set to 0 to prevent a compromised host from sending invalid ICMP
    redirects to other router devices.
  - The net.ipv4.conf.default.accept_redirects,
    net.ipv6.conf.default.accept_redirects & net.ipv6.conf.all.accept_redirects
    are now set to 0 to prevent forged ICMP packet from altering host's routing
    tables.
  - The net.ipv4.conf.default.secure_redirects &
    net.ipv4.conf.all.secure_redirects are now set to 0 to disable acceptance
    of secure ICMP redirected packets.
security:
  - Invalide ICMP redirects may corrupt routing and have users access a system
    set up by the attacker as opposed to a valid system.
  - Routing tables may be altered by bogus ICMP redirect messages and send
    packets to incorrect networks.
  - Secure ICMP redirects are the same as ICMP redirects, except they come from
    gateways listed on the default gateway list.