Over the last few weeks several people have asked me about routes that mysteriously appear and then disappear. For example
route print Default Gateway: 10.10.10.1 Network Address Gateway Address Subnet Mask Redirect Life 172.16.0.0 10.10.10.172 255.255.0.0 |
| Figure 1 – original routing table |
And then
route print
Default Gateway: 10.10.10.1
Network Address Gateway Address Subnet Mask Redirect Life
172.16.0.0 10.10.10.172 255.255.0.0
172.16.1.2 255.255.255.255 10.10.10.254 5 mins
|
| Figure 2 – dynamic route added |
And 5 minutes later
route print Default Gateway: 10.10.10.1 Network Address Gateway Address Subnet Mask Redirect Life 172.16.0.0 10.10.10.172 255.255.0.0 |
| Figure 3 – dynamic route deleted |
These dynamic routes are added when the STCP stack receives an ICMP redirect message from one router telling it to use a different router. As indicated by the display the routes have a 5 minute lifetime so after 5 minutes they are deleted. Of course they can come back immediately if the stack receives another redirect message.
To describe the process in detail; let’s say that STCP is defined with a route to the 172.16.0.0/16 network through the router 10.10.10.172. In addition, there is another router on the network with the IP address 10.10.10.254. I’ll refer to these routers as R-172 and R-254. Both R-172 and R-254 can reach the 172.16.0.0/16 network but R-172 uses a high bandwidth T3 connection while R-254 uses a low bandwidth dial up ISDN link.
The STCP routes look like figure 1 above, note that the there is no explicit route using R-254.
When R-172’s T3 link goes down it can no longer reach the 172.16.0.0/16 network but it knows that R-254 can so when a packet comes in for 172.16.1.2 it forwards the packet to R-254 and also sends an ICMP redirect message back to the sender. The sender, STCP in this case, builds a dynamic host route indicating that to reach 172.16.1.2 it needs to send the packet to R-254, figure 2.
Since these are host routes every host on the 172.16.0.0/16 network that is sent a packet will get its own route with its own 5 minute timer. The route command shows the current remaining lifetime for each route.
route print Default Gateway: 10.10.10.1 Network Address Gateway Address Subnet Mask Redirect Life 172.16.0.0 10.10.10.172 255.255.0.0 172.16.1.1 255.255.255.255 10.10.10.254 5 mins 172.16.1.8 255.255.255.255 10.10.10.254 2 mins 172.16.1.23 255.255.255.255 10.10.10.254 2 mins 172.16.1.65 255.255.255.255 10.10.10.254 2 mins 172.16.1.101 255.255.255.255 10.10.10.254 3 mins 172.16.1.200 255.255.255.255 10.10.10.254 5 mins |
| Figure 4 – multiple host routes |
When R-172’s T3 link comes up what should happen is that hosts that do not have a host route use R-172 as it nothing ever happened. Those hosts with a host route use R-254 which knows that R-172’s link is back up (routers exchange route status with each other) and so forwards the packet to R-172. R-254 should also send an ICMP redirect back to the sender resulting is a new host route using R-172 (figure 5).
route print Default Gateway: 10.10.10.1 Network Address Gateway Address Subnet Mask Redirect Life 172.16.0.0 10.10.10.172 255.255.0.0 172.16.1.9 255.255.255.255 10.10.10.172 3 mins 172.16.1.18 255.255.255.255 10.10.10.172 4 mins 172.16.1.20 255.255.255.255 10.10.10.172 2 mins |
| Figure 5 – host routes redirected back to original router |
Under some conditions it may make sense for STCP not to create any dynamic routes. For example, what if R-254 is down and R-172’s information is a static entry that was never removed. In that case packets to hosts on the 172.16.0.0/16 network just get dropped when R-254 can’t be reached. When R-172’s T3 comes back up you have the situation that those 172.16.0.0/16 hosts without a host route are reachable but those with the R-254 host route are not. Over time as the R-254 routes timeout more and more hosts will be reachable but it will take 5 minutes to fully recover.
Some security experts also view the dynamic routes created in this way to be a security issue. Any host on the network can send an ICMP redirect message, redirecting packets to a different gateway, one where packets with sensitive content like, passwords, or account information can be captured.
So is there a way to prevent these routes from being created?
Yes, the STCP configuration parameter listen_redirects controls how STCP handles ICMP redirect messages. The default setting “on” tells STCP to create these dynamic routes, the setting “off” tells STCP to ignore ICMP redirect messages.
as: list_stcp_params listen_redirects listen to ICMP redirects [off/on] (listen_redirects) on as: set_stcp_param listen_redirects off Changing listen to ICMP redirects (listen_redirects) from on to off |
| Figure 6 – setting the listen_redirect STCP parameter |
Note that this parameter affects the system as a whole, you cannot specify that STCP should listen to redirects from some routers but not others.