Rwa How to avoid ICMP Redirects by lhh12385

VIEWS: 23 PAGES: 4

									Rwa




Tips and Tricks:




              How to avoid ICMP Redirects




Version 1.0


25.05.2007     Juergen Arlt
       Problem
       High amount of ICMP Redirects are seen in the network and the 8600 CPU is loaded.


       Background
       Whenever a packet is received by a router and needs to be routed based on the routing table onto
       the IP network (VLAN) where is has been received on, the router will generate an ICMP redirect
       packet and forward it to the sender of the original packet, which is either the original station or the
       last router the packet traveled through.




       Figure 1: ICMP redirects

       This will (as long as the redirect is enabled) be done in certain intervals or for every packet based
       on the vendor implementation
       If the sending station ignores the ICMP redirect an continues sending the packets to this router, the
       number of data packets on this network segment is in the worst case double and for every packet
       an ICMP redirect packet is sent. Typical examples for stations ignoring these packets are firewalls
       to prevent potential attacks.


       Specifics of the ERS 8600
       The ERS 8600 sends an ICMP redirect for every packet that should have been sent to another
       router.




ICMP Redirect - v 1.0                                   jarlt                                             Page 2
       When a packet that needs to be sent out onto the same network is received on a pre-E-module of
       an ERS 8600, a copy of the packet is sent to the ERS 8600 CPU to generate the ICMP-redirect
       packet. The copy of the packet gets a specific code when sent to the 8600 CPU to determine that
       this ICMP redirect has to be generated. E-, M- and R-modules of the ERS 8600 will generate the
       ICMP redirect by them and don’t need to send a copy of the frame to the CPU.

       If the sending station ignores the ICMP redirect an continues sending the packets to this ERS 8600
       the CPU gets is permanently loaded due to the work of handling this additional traffic. Depending
       on the traffic of the sending stations the CPU load may grow to significant values.

       In the CPU trace these copied IP packets can be seen in large chunks of messages with code
       0103.

                 [05/23/07 13:04:27:149] tMainTask CPP: cpp.c      : 2492: cppProcRxFrame: dst=00-00-
                 5e-00-01-7a src=00-16-35-02-42-30 typ=0800 len=351 port=2/8 vid=0x07a pid=1
                 code=0103 qos=0 pkthdr 0x800f0167 0x007a40c0
                 [05/23/07 13:04:27:149] tMainTask CPP: cpp.c      : 2492: cppProcRxFrame: dst=00-00-
                 5e-00-01-7a src=00-16-35-02-42-30 typ=0800 len=80 port=2/8 vid=0x07a pid=1 code=0103
                 qos=0 pkthdr 0x800f0054 0x007a40c0
                 [05/23/07 13:04:27:149] tMainTask CPP: cpp.c      : 2492: cppProcRxFrame: dst=00-00-
                 5e-00-01-7a src=00-16-35-02-42-30 typ=0800 len=71 port=2/8 vid=0x07a pid=1 code=0103
                 qos=0 pkthdr 0x800f004f 0x007a40c0



       Recommended Actions:
       At first the network design has to be verified why one of the routers is sending the packets to the
       other device on the same network. Typically this happens when the destination network is only
       connected to one of the routing devices and the network between the routers is a transfer network.
       Connecting the next hop router to both routing devices would in this situation resolve the problem.




       Figure 2: destination network on both routers or changed default gateway




ICMP Redirect - v 1.0                                            jarlt                                Page 3
       As the sending station is typically not taking part in any dynamic routing protocol (otherwise it
       would learn the correct next hop to forward the packets to) it needs to be verified if not the other
       router should be used as default gateway for that station.

       If the device that is forwarding the packet to the wrong router would be capable and take part in
       dynamic routing it would learn the correct next hop automatically. This might be not feasible for
       firewalls for security reasons and normal workstations to limit the number of routing devices in the
       network.

       To avoid the transport of the original packet to the other router over the same IP network where it
       has been received on, optionally an additional new transport network between the two routers
       could be created. If this network is using lower interface costs than the original network the packet
       would be forwarded to the other router over this network which would not cause ICMP redirects.
       The new transport network could be a physical link between the routers or an additional VLAN on
       the same segment. The solution creating a new VLAN would not prevent the packet to be twice on
       that segment (from the sending station to the ‘wrong’ router and from there to the ‘correct’ router)
       but it would prevent ICMP redirects to be sent out.




       Figure 3: Using a transport VLAN

       There is one additional option on the ERS 8600 to prevent ICMP redirects.

       ICMP redirect could be turned off globally which prevents the generation of these ICMP packets.
       On pre-E-modules that does however not change the behavior of copying the packet to the CPU
       creating additional CPU load. With E-, M- and R- the original frame would not be copied to the CPU
       in any case. The configuration to disable ICMP redirects is still possible on these modules. If ICMP
       redirect is enabled the I/O modules would generate the redirects themselves and would not use
       CPU cycles.

       The command on the ERS 8600 is ‘config ip icmp-redirect-msg disable’.




ICMP Redirect - v 1.0                                  jarlt                                            Page 4

								
To top