ICMP Redirect on Resolvers

• Previous message (by thread): ICMP Redirect on Resolvers
• Next message (by thread): ICMP Redirect on Resolvers
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Apr 6, 2013, at 16:03 , Valdis.Kletnieks at vt.edu wrote:

> On Sat, 06 Apr 2013 10:38:06 -0400, shawn wilson said:
> 
>> What would break if u dropped all ICMP packets with redirects on public
>> facing boxes?
> 
> Presumably nothing, as long as you guaranteed that your IP address, netmask,
> and routes actually match the reality of your network configuration.  In that
> case, you shouldn't see any valid ICMP redirects.  They're there mostly so
> things kind-of-sort-of work even if you botch it (so for instance, even if you
> whiff your default route accidentally, you can still ssh in from Tokyo and fix
> it).
> 

Not entirely true.

They also cover the case where there are two (or more) routers on the
network and you don't want to have to configure more specific routes
on all your workstations.

For example, network B has routers [A] and [C]. Router [A] leads
to the internet. Router [C] leads to networks R, S,  T, and U.

Hosts on network B can be configured with default->[A] and
as long as [A] and [C] have proper routing information via
IGP, BGP, and/or static routing including all of the more specifics,
then [A] can send back redirects to hosts on network B when they
try to reach networks {R,S,T,U}.

If you block ICMP redirects, then you won't break anything, but you
will increase the traffic load on network B and router [A] as it will
hairpin all of the traffic from those hosts to {R,S,T,U}.

Owen

• Previous message (by thread): ICMP Redirect on Resolvers
• Next message (by thread): ICMP Redirect on Resolvers
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]