Re: 2.4.19 ICMP redirects erroneously ignored

[Tim Gardner <timg@tpi.com>]

I understand the ramifications of ICMP redirect and how it can be mis-used. 
However, the SuSE 8.1 default for non-forwarding 
(/proc/sys/net/ipv4ip_forward==0) Linux is to accept redirects. I also own 
the router, so I trust it.

rtg
On Wednesday 08 January 2003 10:16, Ranjeet Shetye wrote:
> On Thu, 2003-01-09 at 02:52, Tim Gardner wrote:
> > I'm getting pounded by ICMP redirects from my Nortel router. The
> > setup is a SuSE 8.1 (2.4.19) standard client with fixed IP and netmask.
> > The client is configured with a default route. However, there are
> > several routers on the subnet that the default router knows about.
> > Hence, the reason that the Nortel router emits ICMP redirects
> > which my client steadfastly ignores.
> >
> > I've RTFM, read the kernel source, and checked the relevant settings
> > (/proc/sys/net/ipv4/conf/all/*). I find in /proc/net/rt_cache that there
> > are 2 entries, one of which is marked RTCF_REDIRECTED.
> >
> > Why isn't this redirected route being used?
>
> AFAIK, because that would mean that you are allowing another machine to
> manipulate your routing tables by simply using ICMP. How do you know
> that you can trust the other machine, in this case, the nortel router ?
> The problem is not of (missing) functionality, its about trusting the
> integrity of the source of the ICMP redirect.
>
> > This seems like a problem that ought to be common to anyone that
> > has multiple routers on the same subnet. What am I missing?
> >
> > rtg
> > -
> > To unsubscribe from this list: send the line "unsubscribe linux-kernel"
> > in the body of a message to majordomo@vger.kernel.org
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> > Please read the FAQ at  http://www.tux.org/lkml/

-- 
Tim Gardner - timg@tpi.com 406-443-5357
TriplePoint, Inc. - http://www.tpi.com
PGP: http://www.tpi.com/PGP/Tim.txt