From owner-freebsd-net@FreeBSD.ORG Fri Dec 30 12:40:03 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 463EF16A420 for ; Fri, 30 Dec 2005 12:40:03 +0000 (GMT) (envelope-from andre@freebsd.org) Received: from c00l3r.networx.ch (c00l3r.networx.ch [62.48.2.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9471D43D58 for ; Fri, 30 Dec 2005 12:40:01 +0000 (GMT) (envelope-from andre@freebsd.org) Received: (qmail 82319 invoked from network); 30 Dec 2005 12:44:54 -0000 Received: from c00l3r.networx.ch (HELO freebsd.org) ([62.48.2.2]) (envelope-sender ) by c00l3r.networx.ch (qmail-ldap-1.03) with SMTP for ; 30 Dec 2005 12:44:54 -0000 Message-ID: <43B52AA7.EA05579A@freebsd.org> Date: Fri, 30 Dec 2005 13:40:07 +0100 From: Andre Oppermann X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Brian Candler References: <43B45D8A.7040609@elischer.org> <43B47A31.2CABFD7D@freebsd.org> <43B4BF3E.9070907@elischer.org> <20051230123442.GC14630@uk.tiscali.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org, Julian Elischer Subject: Re: forwarding icmp redirects. X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Dec 2005 12:40:03 -0000 Brian Candler wrote: > > On Thu, Dec 29, 2005 at 09:01:50PM -0800, Julian Elischer wrote: > > >IMHO we should disable emitting and acting upon ICMP redirects by default. > > > > I know many places that rely on them heavily.. please don't do that.. > > Cisco PIX doesn't generate them.. it makes that machine a pain in the **** > > to use in some situations. > > But you can always turn them back on if you need them. > > I also vote for disabling ICMP redirects by default, from painful > experience. > > One place I worked many years ago had a pair of Cisco border routers as > gateways to the outside world. They talked iBGP to each other, but just HSRP > on the local network, i.e. there was a single shared IP address which the > servers pointed defaultroute to. > > Whenever a client machine sent a packet to X.X.X.X on the Internet, it would > hit whichever router was the HSRP master. If BGP said that the best egress > route was via the other router, it would forward the packet to the other > router but also send back an ICMP redirect saying "to reach X.X.X.X in > future use Z.Z.Z.Z as your next hop" (Z.Z.Z.Z being the other Cisco's own > IP) > > So, lots of machines on the network starting building up *permanent* > forwarding table entries saying that X.X.X.X should be reached via Z.Z.Z.Z. > As a result, on the day that the second router died, half the Internet > became unreachable from those machines. So much for resilience! > > The solution was to turn off the generation of redirects on the Ciscos, > followed by lots of route flushing everywhere else. But the moral is: ICMP > redirects are evil and are no substitute for a routing protocol. Indeed. And another problem with ICMP redirects is that they only create host routes. If you have a server with clients on the big wide Internet you'll get thousands to hundred-thousands of host routes from redirects. -- Andre