2003-01-09 01:43:26

by Tim Gardner

[permalink] [raw]
Subject: 2.4.19 ICMP redirects erroneously ignored

I'm getting pounded by ICMP redirects from my Nortel router. The
setup is a SuSE 8.1 (2.4.19) standard client with fixed IP and netmask.
The client is configured with a default route. However, there are
several routers on the subnet that the default router knows about.
Hence, the reason that the Nortel router emits ICMP redirects
which my client steadfastly ignores.

I've RTFM, read the kernel source, and checked the relevant settings
(/proc/sys/net/ipv4/conf/all/*). I find in /proc/net/rt_cache that there are
2 entries, one of which is marked RTCF_REDIRECTED.

Why isn't this redirected route being used?

This seems like a problem that ought to be common to anyone that
has multiple routers on the same subnet. What am I missing?

rtg


2003-01-09 02:07:51

by Ranjeet Shetye

[permalink] [raw]
Subject: Re: 2.4.19 ICMP redirects erroneously ignored

On Thu, 2003-01-09 at 02:52, Tim Gardner wrote:
> I'm getting pounded by ICMP redirects from my Nortel router. The
> setup is a SuSE 8.1 (2.4.19) standard client with fixed IP and netmask.
> The client is configured with a default route. However, there are
> several routers on the subnet that the default router knows about.
> Hence, the reason that the Nortel router emits ICMP redirects
> which my client steadfastly ignores.
>
> I've RTFM, read the kernel source, and checked the relevant settings
> (/proc/sys/net/ipv4/conf/all/*). I find in /proc/net/rt_cache that there are
> 2 entries, one of which is marked RTCF_REDIRECTED.
>
> Why isn't this redirected route being used?

AFAIK, because that would mean that you are allowing another machine to
manipulate your routing tables by simply using ICMP. How do you know
that you can trust the other machine, in this case, the nortel router ?
The problem is not of (missing) functionality, its about trusting the
integrity of the source of the ICMP redirect.

>
> This seems like a problem that ought to be common to anyone that
> has multiple routers on the same subnet. What am I missing?
>
> rtg
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
--
Ranjeet Shetye
Senior Software Engineer
Zultys Technologies
Ranjeet dot Shetye2 at Zultys dot com
http://www.zultys.com/

2003-01-09 02:13:08

by Tim Gardner

[permalink] [raw]
Subject: Re: 2.4.19 ICMP redirects erroneously ignored

I understand the ramifications of ICMP redirect and how it can be mis-used.
However, the SuSE 8.1 default for non-forwarding
(/proc/sys/net/ipv4ip_forward==0) Linux is to accept redirects. I also own
the router, so I trust it.

rtg
On Wednesday 08 January 2003 10:16, Ranjeet Shetye wrote:
> On Thu, 2003-01-09 at 02:52, Tim Gardner wrote:
> > I'm getting pounded by ICMP redirects from my Nortel router. The
> > setup is a SuSE 8.1 (2.4.19) standard client with fixed IP and netmask.
> > The client is configured with a default route. However, there are
> > several routers on the subnet that the default router knows about.
> > Hence, the reason that the Nortel router emits ICMP redirects
> > which my client steadfastly ignores.
> >
> > I've RTFM, read the kernel source, and checked the relevant settings
> > (/proc/sys/net/ipv4/conf/all/*). I find in /proc/net/rt_cache that there
> > are 2 entries, one of which is marked RTCF_REDIRECTED.
> >
> > Why isn't this redirected route being used?
>
> AFAIK, because that would mean that you are allowing another machine to
> manipulate your routing tables by simply using ICMP. How do you know
> that you can trust the other machine, in this case, the nortel router ?
> The problem is not of (missing) functionality, its about trusting the
> integrity of the source of the ICMP redirect.
>
> > This seems like a problem that ought to be common to anyone that
> > has multiple routers on the same subnet. What am I missing?
> >
> > rtg
> > -
> > To unsubscribe from this list: send the line "unsubscribe linux-kernel"
> > in the body of a message to [email protected]
> > More majordomo info at http://vger.kernel.org/majordomo-info.html
> > Please read the FAQ at http://www.tux.org/lkml/

--
Tim Gardner - [email protected] 406-443-5357
TriplePoint, Inc. - http://www.tpi.com
PGP: http://www.tpi.com/PGP/Tim.txt