From owner-freebsd-stable  Tue Sep 28 17:53: 8 1999
Delivered-To: freebsd-stable@freebsd.org
Received: from pop.uniserve.com (pop.uniserve.com [204.244.156.3])
	by hub.freebsd.org (Postfix) with SMTP id 3881815783
	for <stable@freebsd.org>; Tue, 28 Sep 1999 17:52:49 -0700 (PDT)
	(envelope-from tom@uniserve.com)
Received: from shell.uniserve.ca [204.244.186.218] 
	by pop.uniserve.com with smtp (Exim 1.82 #4)
	id 11W7z0-0003lk-00; Tue, 28 Sep 1999 17:52:34 -0700
Date: Tue, 28 Sep 1999 17:52:31 -0700 (PDT)
From: Tom <tom@uniserve.com>
X-Sender: tom@shell.uniserve.ca
To: Gregory Bond <gnb@itga.com.au>
Cc: stable@freebsd.org
Subject: Re: ICMP REDIRECTs
In-Reply-To: <199909290034.KAA19147@lightning.itga.com.au>
Message-ID: <Pine.BSF.4.02A.9909281745420.14543-100000@shell.uniserve.ca>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Wed, 29 Sep 1999, Gregory Bond wrote:

> Hi.  We have two routers on our local net.  Only one is our default, of course.
> When I ping a host that is via the other route, I get 2 ICMP REDIRECTs (one for
> the specific host, one for the net) for every outgoing ping packet.
> 
> I.e. i'm getting redirects for the second ... nth packets.  I kind-of assumed
> the first redirect would update the local routing tables so that subsequent
> pings would go direct to the correct gateway.  And "netstat -r" does show a
> _host_ entry, but not a _net_ entry.  And another ping to the same host will go
> to the correct gateway, but a ping to another host on the same remote net will 
> also elicit 2 REDIRECTS per packet, and install a host route.
> 
> I am surprised by 2 elements of this behaviour:
>  - the REDIRECT doesn't affect the route chosen by the current ping process
>  - only the HOST_REDIRECT gets installed in the routing table
> 
> Is this the expected behaviour?

  Well, remember that ICMP redirects are just bandages to cover routing
problems.  No one really should be routing that way.

  ICMP redirects are easily spoofed, so many systems ignore them.
Otherwise they risk having their connectivity being disconnected on whim.
Also, many systems no longer send ICMP redirects because some people
actually want to pass traffic through an intervening system!  I don't know
how FreeBSD ships these days, but I suggest that it should ship with
ignore ICMP redirects as the default.

  I find it very odd that your router is sending two redirects per packet.
A host and network redirect sounds very scary.  Good thing your box is
ignoring the ICMP network redirect, otherwise I could hose your network so
quickly.  How quickly do routes added by ICMP redirect expire? :)

  Why not just add a route on your workstation/server, or enable a routing
protocol?  RIPv2 is simple, and offer authentication too.


Tom



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message