Date: Wed, 21 Feb 2001 15:35:11 -0500 From: "Louis A. Mamakos" <louie@TransSys.COM> To: "Jonathan Graehl" <jonathan@graehl.org> Cc: "freebsd-Arch" <freebsd-arch@FreeBSD.ORG> Subject: Re: Why are ICMP redirects observed by default? Message-ID: <200102212035.f1LKZBD58861@whizzo.transsys.com> In-Reply-To: Your message of "Wed, 21 Feb 2001 12:15:45 PST." <NCBBLOALCKKINBNNEDDLGEEPDLAA.jonathan@graehl.org> References: <NCBBLOALCKKINBNNEDDLGEEPDLAA.jonathan@graehl.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> I thought ICMP redirects had fallen out of favor; is the security risk (an > interloper being able to change routing tables) considered insignificant for > leaf or edge machines? Do redirects actually help performance in the real > world? Of course, there is nothing to complain about, since the behavior can be > toggled; I am simply curious as to what the current feeling about them is (aside > from the warm fuzzy feeling of RFC-compliance) If you have a subnetwork with a bunch of end-system (hosts), and more than one egress choice (e.g., multiple routers on the same LAN), then ICMP redirects can be very useful. If you don't have this situation, then running with a static default route, or running a simple router discovery protocol is adequate; you're not trying to choose between alternative, you're just trying to discover the *only* alternative. The alternative scenario is that the end-systems have to particpate in some routing infrastructure. That is, you run something like gated or routed and either actively participate or "wire-tap" the routing protocol to figure out what router to use for each destination when there are multiple alternatives to choose between. This can be a pain, since you've now coupled the administration of the routing infrastructure to behavior that end-systems see, which needlessly complicates administrating the overall system. So, you can simply use rdiscd to find a default route to a working router. If that happens to be the wrong choice for a particular destination, a redirect is generated for that destination to the end host. It uses that for a while, and then times it out. Note that you can still run VRRP or someother mechanism to find *any* working router; redirects are used to refine the per-destination choice. If you don't generate the redirect, then the default router had to forward the packet back across the same LAN to the egree router which should have been used in the first place. This wastes forwarding capacity on the first router and network bandwidth (though if it's a switched network, this is less of an issue.) You probably ought to filter out ICMP redirects coming from non-local sources. They clearly don't make any sense. But PLEASE, don't just nuke all ICMP messages; no sense in needlessly breaking path MTU discovery. Of course the assumption is that the routers on the subnetwork are aware of each other, and thus can know when to generate a redirect to an alterantive. If this isn't the case, well, then you're already in the land of "special" and none of this probably applies to you. louie To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200102212035.f1LKZBD58861>