2.4.19 ICMP redirects erroneously ignored

2.4.19 ICMP redirects erroneously ignored

Post by Tim Gardne » Fri, 10 Jan 2003 04:00:15



I'm getting pounded by ICMP redirects from my Nortel router. The
setup is a SuSE 8.1 (2.4.19) standard client with fixed IP and netmask.
The client is configured with a default route. However, there are
several routers on the subnet that the default router knows about.
Hence, the reason that the Nortel router emits ICMP redirects
which my client steadfastly ignores.

I've RTFM, read the kernel source, and checked the relevant settings
(/proc/sys/net/ipv4/conf/all/*). I find in /proc/net/rt_cache that there are
2 entries, one of which is marked RTCF_REDIRECTED.

Why isn't this redirected route being used?

This seems like a problem that ought to be common to anyone that
has multiple routers on the same subnet. What am I missing?

rtg
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in

More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

 
 
 

2.4.19 ICMP redirects erroneously ignored

Post by Ranjeet Shety » Fri, 10 Jan 2003 04:20:10



> I'm getting pounded by ICMP redirects from my Nortel router. The
> setup is a SuSE 8.1 (2.4.19) standard client with fixed IP and netmask.
> The client is configured with a default route. However, there are
> several routers on the subnet that the default router knows about.
> Hence, the reason that the Nortel router emits ICMP redirects
> which my client steadfastly ignores.

> I've RTFM, read the kernel source, and checked the relevant settings
> (/proc/sys/net/ipv4/conf/all/*). I find in /proc/net/rt_cache that there are
> 2 entries, one of which is marked RTCF_REDIRECTED.

> Why isn't this redirected route being used?

AFAIK, because that would mean that you are allowing another machine to
manipulate your routing tables by simply using ICMP. How do you know
that you can trust the other machine, in this case, the nortel router ?
The problem is not of (missing) functionality, its about trusting the
integrity of the source of the ICMP redirect.

> This seems like a problem that ought to be common to anyone that
> has multiple routers on the same subnet. What am I missing?

> rtg
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in

> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/

--
Ranjeet Shetye
Senior Software Engineer
Zultys Technologies
Ranjeet dot Shetye2 at Zultys dot com
http://www.zultys.com/

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in

More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

 
 
 

2.4.19 ICMP redirects erroneously ignored

Post by Tim Gardne » Fri, 10 Jan 2003 04:30:09


I understand the ramifications of ICMP redirect and how it can be mis-used.
However, the SuSE 8.1 default for non-forwarding
(/proc/sys/net/ipv4ip_forward==0) Linux is to accept redirects. I also own
the router, so I trust it.

rtg


> > I'm getting pounded by ICMP redirects from my Nortel router. The
> > setup is a SuSE 8.1 (2.4.19) standard client with fixed IP and netmask.
> > The client is configured with a default route. However, there are
> > several routers on the subnet that the default router knows about.
> > Hence, the reason that the Nortel router emits ICMP redirects
> > which my client steadfastly ignores.

> > I've RTFM, read the kernel source, and checked the relevant settings
> > (/proc/sys/net/ipv4/conf/all/*). I find in /proc/net/rt_cache that there
> > are 2 entries, one of which is marked RTCF_REDIRECTED.

> > Why isn't this redirected route being used?

> AFAIK, because that would mean that you are allowing another machine to
> manipulate your routing tables by simply using ICMP. How do you know
> that you can trust the other machine, in this case, the nortel router ?
> The problem is not of (missing) functionality, its about trusting the
> integrity of the source of the ICMP redirect.

> > This seems like a problem that ought to be common to anyone that
> > has multiple routers on the same subnet. What am I missing?

> > rtg
> > -
> > To unsubscribe from this list: send the line "unsubscribe linux-kernel"

> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> > Please read the FAQ at  http://www.tux.org/lkml/

--

TriplePoint, Inc. - http://www.tpi.com
PGP: http://www.tpi.com/PGP/Tim.txt
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in

More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/