On Thu, Dec 29, 2005 at 09:01:50PM -0800, Julian Elischer wrote: > >IMHO we should disable emitting and acting upon ICMP redirects by default. > > I know many places that rely on them heavily.. please don't do that.. > Cisco PIX doesn't generate them.. it makes that machine a pain in the **** > to use in some situations.
But you can always turn them back on if you need them. I also vote for disabling ICMP redirects by default, from painful experience. One place I worked many years ago had a pair of Cisco border routers as gateways to the outside world. They talked iBGP to each other, but just HSRP on the local network, i.e. there was a single shared IP address which the servers pointed defaultroute to. Whenever a client machine sent a packet to X.X.X.X on the Internet, it would hit whichever router was the HSRP master. If BGP said that the best egress route was via the other router, it would forward the packet to the other router but also send back an ICMP redirect saying "to reach X.X.X.X in future use Z.Z.Z.Z as your next hop" (Z.Z.Z.Z being the other Cisco's own IP) So, lots of machines on the network starting building up *permanent* forwarding table entries saying that X.X.X.X should be reached via Z.Z.Z.Z. As a result, on the day that the second router died, half the Internet became unreachable from those machines. So much for resilience! The solution was to turn off the generation of redirects on the Ciscos, followed by lots of route flushing everywhere else. But the moral is: ICMP redirects are evil and are no substitute for a routing protocol. Regards, Brian. _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
