ICMP unreachables (was: Watcher page moved...)

[fitz () wang com (Tom Fitzgerald)]

>        4) Should routers discard received redirects that aren't
>        addressed to the router?

> Routers should always ignore Redirects.
>
>          A router using a routing protocol (other than static routes)
>          MUST NOT consider paths learned from ICMP Redirects when
>          forwarding a packet.

Yes, but this applies only to redirects which ARE addressed to the router.
I was hoping for a way that a router could recognize a bogus redirect being
sent through it to another host, and discard it, like it would discard
source-routed traffic, or traffic with a spoofed source address.

Just as one example, Cisco routers can be configured to discard all ICMPs,
but can't be configured to filter some types of ICMP but not others.  It
might work to filter out all ICMPs with a source address of the router
itself, since apparently filters aren't applied to packets that originate
on the router.  If the host ignores redirects that don't come from the
current gateway (which it's supposed to do), then there shouldn't be any
way to get a bogus redirect to it.

If the host isn't careful about the source of redirects, then I don't think
either Cisco or Netblazer access lists are enough to prevent spoofed
redirects, without also disabling things like port-unreachables and ping,
which are really too valuable to lose.  Other routers may be more flexible.

-- 
Tom Fitzgerald    1-508-967-5278    Wang Labs, Lowell MA, USA    fitz () wang com