Date: Fri, 30 Dec 2005 13:40:07 +0100 From: Andre Oppermann <andre@freebsd.org> To: Brian Candler <B.Candler@pobox.com> Cc: freebsd-net@freebsd.org, Julian Elischer <julian@elischer.org> Subject: Re: forwarding icmp redirects. Message-ID: <43B52AA7.EA05579A@freebsd.org> References: <43B45D8A.7040609@elischer.org> <43B47A31.2CABFD7D@freebsd.org> <43B4BF3E.9070907@elischer.org> <20051230123442.GC14630@uk.tiscali.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Brian Candler wrote: > > On Thu, Dec 29, 2005 at 09:01:50PM -0800, Julian Elischer wrote: > > >IMHO we should disable emitting and acting upon ICMP redirects by default. > > > > I know many places that rely on them heavily.. please don't do that.. > > Cisco PIX doesn't generate them.. it makes that machine a pain in the **** > > to use in some situations. > > But you can always turn them back on if you need them. > > I also vote for disabling ICMP redirects by default, from painful > experience. > > One place I worked many years ago had a pair of Cisco border routers as > gateways to the outside world. They talked iBGP to each other, but just HSRP > on the local network, i.e. there was a single shared IP address which the > servers pointed defaultroute to. > > Whenever a client machine sent a packet to X.X.X.X on the Internet, it would > hit whichever router was the HSRP master. If BGP said that the best egress > route was via the other router, it would forward the packet to the other > router but also send back an ICMP redirect saying "to reach X.X.X.X in > future use Z.Z.Z.Z as your next hop" (Z.Z.Z.Z being the other Cisco's own > IP) > > So, lots of machines on the network starting building up *permanent* > forwarding table entries saying that X.X.X.X should be reached via Z.Z.Z.Z. > As a result, on the day that the second router died, half the Internet > became unreachable from those machines. So much for resilience! > > The solution was to turn off the generation of redirects on the Ciscos, > followed by lots of route flushing everywhere else. But the moral is: ICMP > redirects are evil and are no substitute for a routing protocol. Indeed. And another problem with ICMP redirects is that they only create host routes. If you have a server with clients on the big wide Internet you'll get thousands to hundred-thousands of host routes from redirects. -- Andre
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43B52AA7.EA05579A>