HPE Community
Operating System - HP-UX
1819800 Members
3207 Online
109607 Solutions
New Discussion юеВ

do UGHD (ip redirect) routes exits in hp-ux 11 ?

 
SOLVED
Go to solution
Stephane Caron
Occasional Advisor

тАО02-11-2002 01:12 PM

тАО02-11-2002 01:12 PM

do UGHD (ip redirect) routes exits in hp-ux 11 ?

Hello all,

Our telecommunications people use ip redirect messages to redirect servers to "better" routers instead of using the default gateway.

Our servers, all on HP-UX 11.x, do not seem to respond to those ip redirects. I do not see any UGHD routes in the netstat -rn table.

Furthermore, the man page for netstat does not mention anything about D (dynamic, or re-direct if you prefer) routes.

As far as I know, IP redirect has been supported in HP-UX since 10.20, but I have no hard evidence that it is still supported in HP-UX 11.x.

Has anyone verified this on their servers ? Does anyone have UGHD routes in their routing tables ?

Note: we are not running gated, but I do not believe that support of IP redirect is part of the protocols that gated supports (RIP, EBP, BGP, HELLO and OSPF). It is part of the core ICMP specifications (RFC 792).

Thanks for any info !!!
0 Kudos
Reply
8 REPLIES 8
harry d brown jr
Honored Contributor

тАО02-11-2002 01:24 PM

тАО02-11-2002 01:24 PM

Re: do UGHD (ip redirect) routes exits in hp-ux 11 ?


With my security hat on, I'd say that I would never want a server to BE redirected. Imagine the CHAOS I could do if my servers accepted it?


live free or die
harry
Live Free or Die
0 Kudos
Reply
Stephane Caron
Occasional Advisor

тАО02-11-2002 01:36 PM

тАО02-11-2002 01:36 PM

Re: do UGHD (ip redirect) routes exits in hp-ux 11 ?

Well, if I am pointing to that router in the first place, it must be because I trust it, no ?

But I understand your point... It does appear like a security breach potential. I am not sure how much authentication is performed on ICMP redirects... Sounds like kinda easy to spoof...

Do you think that they have removed support of ICMP redirects in HP-UX 11 ? I can see no evidence of this anywhere in the release notes or else...

Whether we like them or not, ICMP redirects are part of the RFC...
0 Kudos
Reply
Sanjay_6
Honored Contributor

тАО02-11-2002 01:40 PM

тАО02-11-2002 01:40 PM

Re: do UGHD (ip redirect) routes exits in hp-ux 11 ?

Hi,

Do you have "gated" enabled on the server.

Hope this helps.

Regds
0 Kudos
Reply
Stephane Caron
Occasional Advisor

тАО02-11-2002 01:42 PM

тАО02-11-2002 01:42 PM

Re: do UGHD (ip redirect) routes exits in hp-ux 11 ?

Harry, I just re-read your reply and I think that I just understood what you meant... You meant that servers should be able to redirect others, but should not be able to be redirected...

Well, as far as I know, the RFC stands for everybody, no distinction being made between servers, clients (PCs) or other... There is no special status for servers that they can/should disregard ICMP redirects.

What I have seen with Solaris servers, and others threads about hp-ux 10.20 show that at least some servers do support IP redirects, and that they show up as IGHD routes in netstat -rn.

I just need to known about HP-UX 11.x...
0 Kudos
Reply
Stephane Caron
Occasional Advisor

тАО02-11-2002 01:45 PM

тАО02-11-2002 01:45 PM

Re: do UGHD (ip redirect) routes exits in hp-ux 11 ?

Hello Sanjay,

As mentionned in my original message, I do not have gated turned on. But I do not believe that is is gated's job to handle ICMP redirects...

But I may be wrong... Do you know for a fact that it is gated that handles ICMP redirects ?
0 Kudos
Reply
Sanjay_6
Honored Contributor

тАО02-11-2002 02:07 PM

тАО02-11-2002 02:07 PM

Re: do UGHD (ip redirect) routes exits in hp-ux 11 ?

Hi,

I think gated is handling the routing requests. So if you enable gated on the system, you should see the UGHD in the netstat output.

Hope this helps.

Regds
0 Kudos
Reply
Ron Kinner
Honored Contributor

тАО02-11-2002 03:09 PM

тАО02-11-2002 03:09 PM

Solution

Re: do UGHD (ip redirect) routes exits in hp-ux 11 ?

If you can believe the manual Gated will undo ICMP redirects but doesn't seem to be necessary for them to work. Turning on Gated and a routing protocol will automatically kill redirects as will telling gated.conf noredirects. Check out the man page for gated.conf:

The redirect code is passed ICMP or ISO redirects learned by monitoring ICMP messages, or via the routing socket on systems that support it. It processes the redirect request and decides whether to accept the redirect. If the redirect is accepted, a route is installed in the gated routing table with the protocol redirect. Redirects are deleted from the routing table after 3 minutes.
If GateD determines that a redirect is not acceptable, it tries to figure out if the kernel forwarding table has been modified. On systems where ICMP messages are monitored this is accomplished by trying to second guess what the kernel would have done with the redirect. On systems with the routing socket, the kernel provides and indication of whether the redirect was accepted; GateD ignores redirects that were not processed.

If GateD has determined that the state of the kernel forwarding table has been changed, the necessary requests to the kernel are made to restore the correct state.

Note that on currently available systems it is not possible to disable the processing of ICMP redirects, even when the system is functioning as a router. To ignore the effects of redirects, GateD must process each one and actively restore any changes it made to the state of the kernel. Because of the mechanisms involved, there will be windows where the effects of redirects are present in the kernel.

By default, GateD removes redirects when actively participating in an interior gateway protocol (RIP, HELLO, OSPF or IS-IS). It is not possible to enable redirects once they have been automatically disabled. Listening to RIP or HELLO in nobroadcast mode does not cause redirects to be ignored, nor does the use of EGP and BGP. Redirects must be manually configured off in these cases.

Note that in accordance with the latest IETF Router Requirements document, GateD insures that all ICMP net redirects are processed as host redirects. When an ICMP net redirect is accepted, GateD issues the requests to the kernel to make sure that the kernel forwarding table is updated to reflect a host redirect instead of a net redirect.

The redirect statement does not prevent the system from sending redirects, only from listening to them.

The Redirect Statement



redirect yes | no | on | off
[ {
preference preference ;
interface interface_list
[ noredirects ] | [redirects ] ;
trustedgateways gateway_list ;
traceoptions trace_options ;
} ] ;



preference Sets the preference for a route learned from a redirect. The default is 30.
interface interface_list
The interface statement allows the enabling and disabling of redirects on an interface-by-interface basis. See the section on interface list specification for the description of the interface_list. The possible parameters are: noredirects Specifies that redirects received via the specified interface will be ignored. The default is to accept redirects on all interfaces.
redirects This is the default. This argument may be necessary when noredirects is used on a wildcard interface descriptor.

Ron


Reply
Stephane Caron
Occasional Advisor

тАО02-11-2002 03:48 PM

тАО02-11-2002 03:48 PM

Re: do UGHD (ip redirect) routes exits in hp-ux 11 ?

Thanks Ron, excellent source of information,

If I read this correctly, gated is not responsible for populating the routing table with the results of ICMP redirects, but it will rather do the exact opposite: remove UGHD routes it thinks are inappropriate. Which makes sense; routes learned from higher-level protocols such as RIP and others should properly override ICMP redirects.

In many case, though, gated is NOT running, which means that UGHD routes should appear (if I understand Ron's reply correctly).

None of this explains the absence to any reference to the D (of UGHD) in the man page for netstat in HP-UX 11.x... I was able to get my hands on and HP-UX 10.20 system, and the man pages for netstat do mention D (dynamic) routes.

I am guessing there is something different between HP-UX 11 and 10.20... I think I'll place a service call for this
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.