3.2.2 Disable ICMP Redirects on all Layer 3 Interfaces

Information

A redirect packet basically informs the host that there is a better way to get to the destination host or network. This route is then cached on the (victim) host.

For instance, if the default gateway of a host is the NX-OS switch, and the victim host sends a packet to an internet or WAN IP, the NX-OS switch will inform the host that the firewall or WAN router will be a better path. If at some future time, if that firewall or WAN router should fail and trigger a routing change, the route to that failed device will persist in the victim host.

This scenario is only in play if the NX-OS device is the gateway for the victim host, and the Firewall or WAN router (or other next hop device) is also on the same subnet as the victim host. Also, if the next hop device handles its own failover (for instance, using HSRP), there is no routing change, so the 'redirect' issue will not be a problem.

This situation is generally a problem only if the path to the destination is handled by a 'next hop' mechanism, for instance by a routing protocol or a local route-map, and a backup path exists. In this situation, the route to the target will fail, the route will change to the backup path, and the victim will cache the old route for minutes or hours after the failure.

Rationale:

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

It is recommended that you perform this task on all Layer 3 Interfaces which have both a primary and a backup routed path to any destination. In particular, the next hop will need to be in the same subnet as the potential victim hosts.

The corollary to this is that if the network is architected such that all layer 3 egress paths are on dedicated or 'point to point' segments (with no other hosts on those segments), then the ip redirect issue will never arise.

switch(config-if) no ip redirects

switch(config)#

Default Value:

IP redirects are enabled by default, and do not appear in the configuration. The desired value is 'no ip redirects', which will appear in the configuration.

See Also

https://workbench.cisecurity.org/benchmarks/6524

Item Details

Category: ACCESS CONTROL, CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-18, 800-53|AC-18(1), 800-53|AC-18(3), 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|CP-6, 800-53|CP-7, 800-53|PL-8, 800-53|PM-7, 800-53|SA-8, 800-53|SC-7, CSCv7|11.1

Plugin: Cisco

Control ID: 6a1931930f9a892f526ff319fa08334feec283c8b0dc4398b35483a293604d6c