Re: IGPs and services?

[Valdis.Kletnieks () vt edu]

On Thu, 18 May 2000 10:57:31 EDT, Jon Lewis said:
> On Thu, 18 May 2000, Bryan C. Andregg wrote:
> > Pardon my ignorance here, but wont ICMP redirects take care of this situation
> > already?
>
> Some platforms don't deal well relying on redirects.  The first time they
> try to reach a destination, a redirect causes them to insert a host route
> in their routing table.  If that destination moves (say a static IP
> connecting to whatever access server they happen to hit), some OS's will
> refuse to accept further redirects pointing the destination toward a
> different gateway.

In addition, there's the routing table size issue - I had an NTP server that
erroneously got Path MTU Discovery turned on.  Debugging routing table problems
is.. um... interesting... when you have 4,000+ static host routes (nothing
like watching the DNS burp because you said 'netstat -r' rather than '-r -n' ;)

At least the PMTU discovery support I've seen expires those routes after
a while - often ICMP redirects live forever, resulting in a long list of
host routes all pointing at the default router....

There's also the issue that most routing protocols can be configured to
only accept updates from a given access list (which should probably be
peer routers) - ICMP redirects can come from anybody, exposing you to a
man-in-the-middle attack. (Yes, I know it's *NOT* complete protection, but
disabling acceptance of ICMP redirects closes at least SOME issues).

-- 
                                Valdis Kletnieks
                                Operating Systems Analyst
                                Virginia Tech