Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

when are ICMP redirects used

Status
Not open for further replies.

gmail2

Programmer
Jun 15, 2005
987
IE
Hi all

I hope somebody can help me out with this as I can't find the answer on google. We have some asymmetric routing in our internal network because of some recent additions. We're working on redesigning it to eliminate the asymmetry but for now we have to find ways around it

We have a host b on LAN 1 which needs to communicate with host a on LAN 2 through router 1. Router 1 is the default gateway for host b but not for host a. When host b sends a packet to host a, it goes through router 1 & then directly to host a. When host a sends the response, it sends it not to router 1, but to it's default gateway (router 2), which in turn knows that LAN 1 is reachable through router 1 & so sends it there. I've been told that router 2 should send an ICMP redirect back to host a so that it knows to send packets directly to router 1 instead of going through router 2. However this is not happening. So I have a few questions:

1. Is the ICMP redirect only sent to a host if it initiated the session but not (as in this case) if it is responding to a client?
2. If not, what do session aware devices do in this case as they do not have the originating session in their session table ? Do they drop the packet or send the ICMP redirect?
3. Does router b send the packet onto router a & THEN tell the host to send subsequent packets to router a, or does of drop the packet & tell the host to send the packet to router a itself

If an ICMP redirect is received during a TCP handshake:
4. Does the new route get used for the SYN-ACK or ACK or is the new route only used after the handshake is complete?
5. Or does the handshake start over again with a new SYN?
6. Or is this OS depenant? In this case win 2k

sorry, I know I haven't explained the topology very well. I think the diagram in the PDF below should help. The example the author uses is the opposite scenario to ours


Thanks in advance

Irish Poetry - Karen O'Connor
Irish Poetry and Short Stories - Doghouse Books
Garten und Landschaftsbau
 
Hi there,
well it's been a long time since I've done some "networking" so I'm not sure about what I say here. Just want to point out some things ...

First of all is your router configured to send ICMP redirect messages? (since the only one who can know something is wrong is the router, he must send the message, depending on the make/model I suppose this can be turned on/off)

Do your servers accept ICMP redirect messages? Not sure this is enabled by default as it is considered a security problem (since ICMP are not secured in any way, no logon or something equivalent required, any hacker could send a ICMP redirect to your host now rerouting the traffic through his "infrastructure" for careful inspection ;-)
there is a key in the registry that controls this on windows boxes (check HKLM\system\currentcontrolset\services\tcpip\parameters\EnableICMPRedirect )

No packets are dropped, the ICMP redirect is intercepted by the TCP/IP stack and the OS the updates the routing table (this is the security problem:)

It has no impact on SYN SYN-ACK ACK handshake as no packets are lost... only subsequent packet in the same session will follow another route (the session state is independent of route used, traffic in both directiin can go over different routes and routes can changed while the connection stays connected, this is the whole principe of an unbreakable Internet)

G.
 
Thanks for the reply. On the router side (Cisco), ICMP redirects are not "enabled" per say but they have not been explicitly disabled & I beleive the default behaviour in Cisco is enabled. Likewise, on Windows the default behaviour is to accept, but I have already double confirmed the registry entry on the machine

I think I'll have to do some wiresharking next week & investigate further

Regarding the 3-way handshake, the reason I ask is because our firewalls (and probably most devices that do stateful inspection) will not allow a SYN-ACK top pass through if it didn't see the initial SYN. I'm not too sure if routers do this also

Thanks again for the reply. I'll post back more info once I've done some sniffing

Irish Poetry - Karen O'Connor
Irish Poetry and Short Stories - Doghouse Books
Garten und Landschaftsbau
 
...will not allow a SYN-ACK top pass through if it didn't see the initial SYN. I'm not too sure if routers do this also"

Yes---it's called TCP Intercept---it proxies the SYN-ACK and if the host does not ACK, the packet gets dropped. A TCP-SYN-FLOOD attack only sends out SYN packets, so all the packets will never see the intended target. This can be set with parameters (like SYN-WAIT times, and other thresholds) so that the router/firewall doesn't burst into flames trying to proxy answer all those SYN packets.

Burt
 
Burt,
Thanks for pointing this out...
As I said, it's been a long time since I've done some networking (well at least long in terms compared to ICT evolution speed ;-)

I guess, by now such provisions in routers will be quite commons given the abundance of DDOS attacks.

Anyway, it shows again like my previous argument about hackers adapting your routing tables, that ICMP redirect does have some security consequences...

G.
 
Yes---TCP/IP in general is very insecure by design! What ever happened to DECNET???lol
You want the most secure OS out there, try OpenVMS! Ironic how Windows NT really came from VMS---Windows is one big virus, IMO...

Burt
 
[tt]

[/tt]
"Windows is one big virus"
[tt]
Hmmm,,,,,

This is what viruses do:

1) They replicate quickly.
(Okay, Windows does that)

2) Viruses use up valuable system resources.
(Windows does that too)

3) Viruses usually trash your hard disk if they are not
controlled.
(Alright, alright, Windows does that too)

4) Viruses usually contaminate valuable programs or
utilities, rendering them useless when the virus
is finally removed.
(o.k., that's Windows too)

5) Viruses will occasionally make the user suspect
that their system is too slow (see #2) or
unstable, and the user will buy new hardware.
(Yup, that's Windows, too)

Well, until now it seems Windows is INDEED a virus but,,,

THERE ARE FUNDAMENTAL DIFFERENCES:

1) Viruses tend to be well supported by their authors.

2) Viruses install automatically with ease and run
on most every system.

3) Viruses are generally fast, compact and efficient.

4) Viruses tend to become more sophisticated as
new versions are released.

5) Viruses are distributed rapidly and automatically.

6) Viruses are "shareware," they are provided at no
initial cost.

There you have it, Windows is NOT, I repeat NOT a virus!

[/tt]

Steve
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top