Brian Candler wrote: > > On Thu, Dec 29, 2005 at 09:01:50PM -0800, Julian Elischer wrote: > > >IMHO we should disable emitting and acting upon ICMP redirects by default. > > > > I know many places that rely on them heavily.. please don't do that.. > > Cisco PIX doesn't generate them.. it makes that machine a pain in the **** > > to use in some situations. > > But you can always turn them back on if you need them. > > I also vote for disabling ICMP redirects by default, from painful > experience. > > One place I worked many years ago had a pair of Cisco border routers as > gateways to the outside world. They talked iBGP to each other, but just HSRP > on the local network, i.e. there was a single shared IP address which the > servers pointed defaultroute to. > > Whenever a client machine sent a packet to X.X.X.X on the Internet, it would > hit whichever router was the HSRP master. If BGP said that the best egress > route was via the other router, it would forward the packet to the other > router but also send back an ICMP redirect saying "to reach X.X.X.X in > future use Z.Z.Z.Z as your next hop" (Z.Z.Z.Z being the other Cisco's own > IP) > > So, lots of machines on the network starting building up *permanent* > forwarding table entries saying that X.X.X.X should be reached via Z.Z.Z.Z. > As a result, on the day that the second router died, half the Internet > became unreachable from those machines. So much for resilience! > > The solution was to turn off the generation of redirects on the Ciscos, > followed by lots of route flushing everywhere else. But the moral is: ICMP > redirects are evil and are no substitute for a routing protocol.
Indeed. And another problem with ICMP redirects is that they only create host routes. If you have a server with clients on the big wide Internet you'll get thousands to hundred-thousands of host routes from redirects. -- Andre _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"