SUMMARY:what causes modified redirects?

From: Rich Glazier (RichGlazier_at_netscape.net)
Date: 11/12/03

  • Next message: Ron Bramblett: "username max length." 
    Date: Wed, 12 Nov 2003 16:11:49 -0500
To: tru64-unix-managers@ornl.gov

    Thanks to Fred Van Kenpen, Jeffery Hummel, and Irene Shilikhina.

    Irene sent me some past post reguarding blocking ICMP redirects, which is what I ended up doing, and all is fine. Search for ICMP redirects. Here are the other posts. One outstanding issue is knowing the ttl of a route entry.

    Correspondece between Fred and me.
    ------------------------------

    Rich,

    There was a change in one of the patch kits that sortof "added" the
    setting of a ttl field to those routing entries. Tom Blinn might
    know more about it.

    --fred

    > -----Original Message-----
    > From: Rich Glazier [mailto:RichGlazier@netscape.net]
    > Sent: Thursday, October 30, 2003 10:55 PM
    > To: Fred N. van Kempen
    > Subject: RE: what causes modified redirects?
    >
    >
    > Thanks for all the great input Fred. You mentioned the ttl
    > on route entires in version 5.1+. That is something I've
    > been trying to confirm. Is there a ttl for all routes in the
    > routes table, or is based on the type? I heard that ICMP
    > redirect entries "D" stay indefinitely, but that in they next
    > patchkit you be able to set a timeout value for ICMP
    > redirects. Do you know of anyway of seeing how long entries
    > have been in the route tabel, and when they expire?
    >
    > "Fred N. van Kempen" <Fred.van.Kempen@microwalt.nl> wrote:
    >
    > >Rich,
    > >
    > >> -In Unix, if a packet cant get to an IP via it's static or
    > >> learned route, will it then always try the default gateway?
    > >Yes.
    > >
    > >> -If the above scenario happened in our network, the default
    > >> gateway would send it back telling it where to go. Presumably
    > >> back to he dead path. Our default gateway wouldn't be able
    > >> to get it there.
    > >No, the dflt gw would pass it on as expected *and* send back an
    > >'icmp redirect' message to the sender saying "hey, I'll forward
    > >this for ya, but from now on, use gateway XXX, cos they know
    > >more about it."
    > >
    > >This is the GDM entry you see.
    > >
    > >> -Would the above scenario constitute a modified redirect?
    > >Yes.
    > >
    > >> - Is an "M" flag placed there by Unix, or is it sent from a
    > >> netowrk device like the original ICMP redirect that adds
    > the "D" flag?
    > >Ibelieve it gets the M flag when either ttl changes (since 5.1 now
    > >has ttls on these) or when the gw address changes.
    > >
    > >> -What can cause a modified redirect? i.e what network
    > >> devices can add the "M" to the route table.
    > >Anything that routes, so, routers, gateways and layer3 switches
    > >performing smart switching.
    > >
    > >> mars# netstat -rn | grep -E 'UGHD|default'
    > >> default 10.1.101.254 UGS 6 467279
    > fta0
    > >> 10.5.150.24 10.1.101.253 UGHDM 1 36645
    > fta0
    > >> 10.6.50.2 10.1.101.253 UGHDM 0 44
    > fta0
    > >> 10.6.50.6 10.1.101.253 UGHDM 0 525
    > fta0
    > >> 10.8.50.5 10.1.101.253 UGHDM 1 8318
    > fta0
    > >This means, that although you were sending everything to
    > 10.1.101.254,
    > >that router reported back that although it can route the requested
    > >packets, it suggests that you use 10.1.101.253 for that destination
    > >instead, as that is a shorter route.
    > >
    > >It *can* happen when routers get congested.
    > >
    > >--fred
    > >
    >

    >From Jeff
    -----------------------
    Do any of the routers between you and the target have a default route that
    is equivalent to the new route? If so and the routing table is incomplete,
    the intermediate router may have sent the ICMP update to your server.

    Jeff

    __________________________________________________________________
    McAfee VirusScan Online from the Netscape Network.
    Comprehensive protection for your entire computer. Get your free trial today!
    http://channels.netscape.com/ns/computing/mcafee/index.jsp?promo=393397

    Get AOL Instant Messenger 5.1 free of charge. Download Now!
    http://aim.aol.com/aimnew/Aim/register.adp?promo=380455

  • Next message: Ron Bramblett: "username max length."

    Relevant Pages

    • Re: IP FORWARDING IPTABLES
      ... I choose to configure my firewall to route packets in a different ... want to specify the IP of the gateway, ... the command might be more accurate ... but has a "-I" option to use ICMP echos. ...
      (comp.security.firewalls)
    • Re: IP FORWARDING IPTABLES
      ... I choose to configure my firewall to route packets in a different ... except that the '/sbin/route' command has nothing to do with the ... but has a "-I" option to use ICMP echos. ...
      (comp.security.firewalls)
    • Re: ICMP redirects are baad mkay?
      ... reliability and security. ... route the effect on performance is not measurable on todays networks. ... And for security you have to do something to prevent ... Using ICMP redirects for routing purpose is certainly a compromise. ...
      (comp.security.firewalls)
    • Re: IPFW2 versrcreach update
      ... Cisco won't emit ICMP when uRPF is killing a packet. ... Where would the ICMP go anyway because you either donīt have a route to ...
      (freebsd-net)
    • Re: IPFW2 versrcreach update
      ... > where you would point the packet to or the route points to null. ... ICMP should not happen b/c the source of the route ... run traceroute to 3.3.3.3 and if your router does not have a route for 3.3.3.3 ... If you are host 10.10.10.2, and you spoof your IP address to 1.1.1.1, and the ...
      (freebsd-net)