|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
ICMP unreachables (was: Watcher page moved...)
Tom Fitzgerald (fitz
wang.com)Sun, 2 Apr 95 4:30:24 EDT
- Messages sorted by: [ date ][ thread ][ subject ][ author ]
- Next message: Dr. Frederick B. Cohen: "All.Net now testing for X holes (fwd)"
- Previous message: Vern Paxson: "sequence numbers in TCP RST's (was Re: Watcher page moved)"
- Next in thread: Andrew T. Robinson: "ICMP unreachables (was: Watcher page moved...)"
> 4) Should routers discard received redirects that aren't > addressed to the router? > Routers should always ignore Redirects. > > A router using a routing protocol (other than static routes) > MUST NOT consider paths learned from ICMP Redirects when > forwarding a packet. Yes, but this applies only to redirects which ARE addressed to the router. I was hoping for a way that a router could recognize a bogus redirect being sent through it to another host, and discard it, like it would discard source-routed traffic, or traffic with a spoofed source address. Just as one example, Cisco routers can be configured to discard all ICMPs, but can't be configured to filter some types of ICMP but not others. It might work to filter out all ICMPs with a source address of the router itself, since apparently filters aren't applied to packets that originate on the router. If the host ignores redirects that don't come from the current gateway (which it's supposed to do), then there shouldn't be any way to get a bogus redirect to it. If the host isn't careful about the source of redirects, then I don't think either Cisco or Netblazer access lists are enough to prevent spoofed redirects, without also disabling things like port-unreachables and ping, which are really too valuable to lose. Other routers may be more flexible. -- Tom Fitzgerald 1-508-967-5278 Wang Labs, Lowell MA, USA fitz