Date: Fri, 30 Dec 2005 12:34:42 +0000 From: Brian Candler <B.Candler@pobox.com> To: Julian Elischer <julian@elischer.org> Cc: freebsd-net@freebsd.org, Andre Oppermann <andre@freebsd.org> Subject: Re: forwarding icmp redirects. Message-ID: <20051230123442.GC14630@uk.tiscali.com> In-Reply-To: <43B4BF3E.9070907@elischer.org> References: <43B45D8A.7040609@elischer.org> <43B47A31.2CABFD7D@freebsd.org> <43B4BF3E.9070907@elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Dec 29, 2005 at 09:01:50PM -0800, Julian Elischer wrote: > >IMHO we should disable emitting and acting upon ICMP redirects by default. > > I know many places that rely on them heavily.. please don't do that.. > Cisco PIX doesn't generate them.. it makes that machine a pain in the **** > to use in some situations. But you can always turn them back on if you need them. I also vote for disabling ICMP redirects by default, from painful experience. One place I worked many years ago had a pair of Cisco border routers as gateways to the outside world. They talked iBGP to each other, but just HSRP on the local network, i.e. there was a single shared IP address which the servers pointed defaultroute to. Whenever a client machine sent a packet to X.X.X.X on the Internet, it would hit whichever router was the HSRP master. If BGP said that the best egress route was via the other router, it would forward the packet to the other router but also send back an ICMP redirect saying "to reach X.X.X.X in future use Z.Z.Z.Z as your next hop" (Z.Z.Z.Z being the other Cisco's own IP) So, lots of machines on the network starting building up *permanent* forwarding table entries saying that X.X.X.X should be reached via Z.Z.Z.Z. As a result, on the day that the second router died, half the Internet became unreachable from those machines. So much for resilience! The solution was to turn off the generation of redirects on the Ciscos, followed by lots of route flushing everywhere else. But the moral is: ICMP redirects are evil and are no substitute for a routing protocol. Regards, Brian.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051230123442.GC14630>