ICMP Redirect on Resolvers

Shahab_Vahabzadeh · April 6, 2013, 5:36am

Hello everybody,
I have two DNS Server (resolver) running on FreeBSD 9.0, I always see in
console messages like this:

icmp redirect from 192.168.140.36: 192.168.179.80 => 192.168.140.254

and lots of messages like this, mostly ip addresses not belong to me, and
some times these resolvers stop working.
My question is what are these messages? why they only shown in console of
these servers not others? And are they cause the problems like stopping
working for server/services?
Thanks

Tony_Finch · April 6, 2013, 5:58am

You probably configured the wrong default router address or netmask.

Tony.

Keith_Medcalf · April 6, 2013, 6:20am

icmp redirect from 192.168.140.36: 192.168.179.80 => 192.168.140.254

The host attempted to send a packet to 192.168.179.80 via 192.168.140.36. 192.168.140.36 forwarded the packet to 192.168.140.254 according to its routing table, but is advising you (and the kernel has added to the routing table) that in the future you reach 192.148.179.80 via 192.168.140.254, not via 192.168.140.36.

James_Hess · April 6, 2013, 7:12am

Although spoofed ICMP redirects mightalso be abused to
intercept/quietly sniff traffic
on a switched LAN;
The default gateway responding with a redirect in that situation
is the normal case where you expect to receive an ICMP redirect. ; in
that particular case ICMP redirect improves matters, by directing
clients to send their packets directly to that other router on that
LAN, thus eliminating one router hop for future packets to that
destination IP address (until the destination IP address' redirect
entry gets aged out in the sending host's route cache),
which is the whole point of ICMP redirects.

However... routes are better than redirects.

An ICMP redirect applies to only one IP address that is redirected, so
if you made heavy use of that functionality (eg Large LANs, with this)
-- many table entries could be spent on the redirects; an actual
route on the host is much better than relying on ICMP redirects for
providing more deterministic behavior while still avoiding suboptimal
routing, because only a small number of table entries are required
on the hosts (entry per network).

It's not an ideal situation, to have a large number of hosts reached
through an ICMP redirect; in the ideal situation, you design
networks so that you don't route traffic across a LAN network to a
next hop IP address that also contains end hosts, instead, give
routers dedicated 'links' or 'LANs', where the other endpoints are
routers only (and route to next hops on those networks, instead of
end-host LANs), or else: at least populate the routing tables of end
hosts on any LAN you route through (using static routes, or a routing
protocol on the servers), so that you aren't carrying around ICMP
redirects.

Failing all that, if the LANs are large, and a large number of ICMP
redirects would occur, it may be preferrable to turn ICMP redirects
off for those LANs on their routers

Shawn_Wilson · April 6, 2013, 2:38pm

What would break if u dropped all ICMP packets with redirects on public
facing boxes?

Valdis_Kletnieks · April 6, 2013, 11:03pm

Presumably nothing, as long as you guaranteed that your IP address, netmask,
and routes actually match the reality of your network configuration. In that
case, you shouldn't see any valid ICMP redirects. They're there mostly so
things kind-of-sort-of work even if you botch it (so for instance, even if you
whiff your default route accidentally, you can still ssh in from Tokyo and fix
it).

James_Hess · April 7, 2013, 1:43am

case, you shouldn't see any valid ICMP redirects. They're there mostly so

things kind-of-sort-of work even if you botch it (so for instance, even if
you whiff your default route accidentally, you can still ssh in from Tokyo and
fix > it).

For ICMP redirects to do anything useful, a valid route has to
actually be there already, on the default gateway....

Perhaps you are thinking of proxy arp?

Owen_DeLong · April 7, 2013, 7:25pm

Not entirely true.

They also cover the case where there are two (or more) routers on the
network and you don't want to have to configure more specific routes
on all your workstations.

For example, network B has routers [A] and [C]. Router [A] leads
to the internet. Router [C] leads to networks R, S, T, and U.

Hosts on network B can be configured with default->[A] and
as long as [A] and [C] have proper routing information via
IGP, BGP, and/or static routing including all of the more specifics,
then [A] can send back redirects to hosts on network B when they
try to reach networks {R,S,T,U}.

If you block ICMP redirects, then you won't break anything, but you
will increase the traffic load on network B and router [A] as it will
hairpin all of the traffic from those hosts to {R,S,T,U}.

Owen

Valdis_Kletnieks · April 8, 2013, 1:47am

As I said - if your config (including routes) matches your network reality.
Note that the rest of your comment addresses the case where your initial config
doesn't match reality...

Owen_DeLong · April 8, 2013, 5:32am

Not true. Reality is that the default router configured on the hosts is capable
of getting the packets delivered. It's not optimal, but it is reality.

Owen