Re: Getting "ICMP Host redirect from gateway" response

On Tue, 29 May 2007, in the Usenet newsgroup comp.os.linux.networking, in
article <f3hkpp$q08$01$1@xxxxxxxxxxxxxxxxx>, Burkhard Ott wrote:

schrieb ianbrn@xxxxxxxxx

I want to be able to ping machines and get "ICMP Host redirect from
gateway"
(for learning more about ICMP redirects).

If 192.168.0.253 has 192.168.0.254 as default gw and your host using
192.168.0.253 as default gw and you ping an external IP which is not
reachable via broadcast (e.g. 172.30.254.1) then you should recive a
nice icmp redirect by the time you ping the external IP.

I suspect you'll get a ICMP Type 3 Code 0 "Network unreachable" rather
than a redirect. Where would you be redirected to? A "redirect" occurs
when the router knows of a "better" route. See section 4.3.3.2
of RFC1812, which begins

4.3.3.2 Redirect

The ICMP Redirect message is generated to inform a local host that it
should use a different next hop router for certain traffic.

and compare that to section 4.3.3.1, the first part of which says

4.3.3.1 Destination Unreachable

If a router cannot forward a packet because it has no routes at all
(including no default route) to the destination specified in the
packet, then the router MUST generate a Destination Unreachable, Code
0 (Network Unreachable) ICMP message.

See also RFC2827 and RFC3704.

1812 Requirements for IP Version 4 Routers. F. Baker, Ed.. June 1995.
(Format: TXT=415740 bytes) (Obsoletes RFC1716, RFC1009) (Updated by
RFC2644) (Status: PROPOSED STANDARD)

2827 Network Ingress Filtering: Defeating Denial of Service Attacks
which employ IP Source Address Spoofing. P. Ferguson, D. Senie. May
2000. (Format: TXT=21258 bytes) (Obsoletes RFC2267) (Updated by
RFC3704) (Also BCP0038) (Status: BEST CURRENT PRACTICE)

3704 Ingress Filtering for Multihomed Networks. F. Baker, P. Savola.
March 2004. (Format: TXT=35942 bytes) (Updates RFC2827) (Also
BCP0084) (Status: BEST CURRENT PRACTICE)

Keep an eye on
/proc/sys/net/ipv4/conf/all/accept_redirects

Agreed - many O/S ignore them to prevent Denial Of Service attacks

Old guy

.

Relevant Pages

  • Re: Do ICMP re-directs actually work ?
    ... "When a Windows 2000-based computer received an ICMP ... Then goes on to say that, otherwise, the redirect is ignored. ... >> This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • Re: Do ICMP re-directs actually work ?
    ... Do ICMP re-directs actually work? ... It's my understanding that the ICMP redirect is used in the following ... gateway1 looks for the next hop and find gateway2 ... > This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • RE: Do ICMP re-directs actually work ?
    ... Do ICMP re-directs actually work? ... Fanta will fail for the lifetime of the redirect. ...
    (Pen-Test)
  • Re: Problem with new source address selection
    ... When I use the route to own interface address ... for every incoming packet an ICMP redirect is sent. ... connections dependent from destination network. ...
    (freebsd-net)
  • Re: Getting "ICMP Host redirect from gateway" response
    ... nice icmp redirect by the time you ping the external IP. ... The ICMP Redirect message is generated to inform a local host that it ... If a router cannot forward a packet because it has no routes at all ...
    (comp.os.linux.networking)