> 4) Should routers discard received redirects that aren't > addressed to the router? > Routers should always ignore Redirects. > > A router using a routing protocol (other than static routes) > MUST NOT consider paths learned from ICMP Redirects when > forwarding a packet. Yes, but this applies only to redirects which ARE addressed to the router. I was hoping for a way that a router could recognize a bogus redirect being sent through it to another host, and discard it, like it would discard source-routed traffic, or traffic with a spoofed source address. Just as one example, Cisco routers can be configured to discard all ICMPs, but can't be configured to filter some types of ICMP but not others. It might work to filter out all ICMPs with a source address of the router itself, since apparently filters aren't applied to packets that originate on the router. If the host ignores redirects that don't come from the current gateway (which it's supposed to do), then there shouldn't be any way to get a bogus redirect to it. If the host isn't careful about the source of redirects, then I don't think either Cisco or Netblazer access lists are enough to prevent spoofed redirects, without also disabling things like port-unreachables and ping, which are really too valuable to lose. Other routers may be more flexible. -- Tom Fitzgerald 1-508-967-5278 Wang Labs, Lowell MA, USA fitz@wang.com