forwarding icmp redirects.

Brian Candler B.Candler at pobox.com
Fri Dec 30 04:34:48 PST 2005


On Thu, Dec 29, 2005 at 09:01:50PM -0800, Julian Elischer wrote:
> >IMHO we should disable emitting and acting upon ICMP redirects by default.
> 
> I know many places that rely on them heavily.. please don't do that..
> Cisco PIX doesn't generate them.. it makes that machine a pain in the ****
> to use in some situations.

But you can always turn them back on if you need them.

I also vote for disabling ICMP redirects by default, from painful
experience.

One place I worked many years ago had a pair of Cisco border routers as
gateways to the outside world. They talked iBGP to each other, but just HSRP
on the local network, i.e. there was a single shared IP address which the
servers pointed defaultroute to.

Whenever a client machine sent a packet to X.X.X.X on the Internet, it would
hit whichever router was the HSRP master. If BGP said that the best egress
route was via the other router, it would forward the packet to the other
router but also send back an ICMP redirect saying "to reach X.X.X.X in
future use Z.Z.Z.Z as your next hop" (Z.Z.Z.Z being the other Cisco's own
IP)

So, lots of machines on the network starting building up *permanent*
forwarding table entries saying that X.X.X.X should be reached via Z.Z.Z.Z.
As a result, on the day that the second router died, half the Internet
became unreachable from those machines. So much for resilience!

The solution was to turn off the generation of redirects on the Ciscos,
followed by lots of route flushing everywhere else. But the moral is: ICMP
redirects are evil and are no substitute for a routing protocol.

Regards,

Brian.


More information about the freebsd-net mailing list