[28835] in North American Network Operators' Group
Re: IGPs and services?
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Thu May 18 13:44:35 2000
Message-Id: <200005181742.e4IHg7n27200@black-ice.cc.vt.edu>
To: nanog@merit.edu
In-reply-to: Your message of "Thu, 18 May 2000 10:57:31 EDT."
<Pine.LNX.4.10.10005181053060.25904-100000@redhat1.mmaero.com>
From: Valdis.Kletnieks@vt.edu
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Thu, 18 May 2000 13:42:07 -0400
Errors-To: owner-nanog-outgoing@merit.edu
On Thu, 18 May 2000 10:57:31 EDT, Jon Lewis said:
> On Thu, 18 May 2000, Bryan C. Andregg wrote:
> > Pardon my ignorance here, but wont ICMP redirects take care of this situation
> > already?
>
> Some platforms don't deal well relying on redirects. The first time they
> try to reach a destination, a redirect causes them to insert a host route
> in their routing table. If that destination moves (say a static IP
> connecting to whatever access server they happen to hit), some OS's will
> refuse to accept further redirects pointing the destination toward a
> different gateway.
In addition, there's the routing table size issue - I had an NTP server that
erroneously got Path MTU Discovery turned on. Debugging routing table problems
is.. um... interesting... when you have 4,000+ static host routes (nothing
like watching the DNS burp because you said 'netstat -r' rather than '-r -n' ;)
At least the PMTU discovery support I've seen expires those routes after
a while - often ICMP redirects live forever, resulting in a long list of
host routes all pointing at the default router....
There's also the issue that most routing protocols can be configured to
only accept updates from a given access list (which should probably be
peer routers) - ICMP redirects can come from anybody, exposing you to a
man-in-the-middle attack. (Yes, I know it's *NOT* complete protection, but
disabling acceptance of ICMP redirects closes at least SOME issues).
--
Valdis Kletnieks
Operating Systems Analyst
Virginia Tech
