8

Due to potential for MITM attack, ICMP redirect messages should be blocked. However, the original purpose of the ICMP redirect message is to inform the host of a better router (or gateway).

Then, is there a speed issue with disabling ICMP redirect messages on the host? Or is it negligible?

Maximillian Laumeister
  • 103
  • 4
baeharam
  • 257
  • 2
  • 5
  • In a properly configured network, redirects don't happen and aren't necessary. Strict adherence to rules would see the packet dropped -- never forward a packet out the interface on which it was received, but no one has done that for decades. Redirects cannot be trusted, so most hosts don't honor them, so most admins config their routers to no bother sending them. – Ricky Dec 06 '18 at 13:26

2 Answers2

8

ICMP re-directs are most often seen when you have a host or router A in the same subnet with two other routers B & C and connectivity to both. Consider the following network:

   |__192.168.1.0/24__|
   | |                |
     |
     |   |___192.168.8.0/24__|
     |   | |                 |
     B     C
|____|_____|____|
|       |       |
        A

A will have a route (most likely a default) pointing to B, and B will have a more specific route to a 192.168.8.0/24 pointing to C.

Without ICMP redirects, all traffic from A to 192.168.8.0/24 will be routed A->B->C

With ICMP re-direct enabled, B will inform A that C is a better next-hop and subsequent traffic will be routed A->C.

Obviously B is an extra hop and depending on what kind of box it is, it may introduce extra latency.

Disabling ICMP-Redirects and redesigning the network to avoid this situation entirely would be the preferred solution eg:

   |__192.168.1.0/24__|
   | |                |
     |
     |   |___192.168.8.0/24__|
     |   | |                 |
     B-----C
|____|__________|
|       |       |
        A

(or remove C entirely and hang 192.168.8.0/24 directly off B).

Benjamin Dale
  • 9,421
  • 17
  • 46
  • Then, what you mean is that structure of network is more important than ICMP redirect? – baeharam Dec 06 '18 at 01:19
  • ICMP redirect indicates that there is sub-optimal routing configured and tries to resolve this - IMO this is a design problem – Benjamin Dale Dec 06 '18 at 04:47
  • 2
    Actually, your redesign just removes the possibility of using an ICMP redirect to optimize the route - all you get is an unavoidable A->B->C route and back(!). An optimizing redesign should remove C and connect its subnet/link to B. – Zac67 Dec 06 '18 at 18:35
  • Yes - this did occur to me when I was doing the redesign : ) But I figured that removing C might have changed things too much - sometimes C might be an unavoidable requirement (provider/3rd-part NTU to another network etc.) – Benjamin Dale Dec 06 '18 at 21:49
6

ICMP redirect is a remnant from an era of trust - partly because networked machines had administrators and BYOD was unimaginable.

Ignoring the redirect on the client means it will continue to be sent through the less efficient gateway. This will lead to unnecessary work by that router, and unnecessary traffic on its interface, slightly reducing performance for everyone using that gateway.

It will also increase the latency for the client, as each packet has to take an extra hop.

However, in the general case, on a modern network both of these "costs" will be negligible.

The ideal way of resolving the issue is for a route to be added on the client to use the correct gateway. ICMP redirect provided a way for it to happen automatically, but probably shouldn't be trusted - but they remain a clue that a better route exists, and logging them allows one to consider making such a change, perhaps after consulting with the network administrators.

Redesigning the network is probably the wrong thing to do.

JCRM
  • 161
  • 2
  • Absolutely: Sometimes configuration simplicity is much, much, more important than packet efficiency. I've seen networks where all routing was static, lots of "suboptmal" routes, traffic low, configuration errors never. Happy network admin kept perfect static routes on central router and that was that. Always keep reference to your own organisation's priorities. Certainly don't redesign a network unless there is an actual problem – jonathanjo Dec 06 '18 at 10:18
  • "on a modern network both of these "costs" will be negligible" - yes, but only as long as there's ample link bandwidth (which you might include in "modern" ;-). – Zac67 Dec 06 '18 at 18:40
  • Static routes on hosts? shudder simple, yes, but very hard to capture – Benjamin Dale Dec 06 '18 at 21:51