Tags:gateway ICMP-redirects network router Security
ICMP Redirect is a type 5 ICMP error message sent by a gateway router to a sending host informing of an optimal alternate route to the destination host and to update its routing table with the new host route to the target destination host. The router forwards the original packet to the next hop router or to the destination host and sends the ICMP Redirect message to the sending host so that the subsequent packets to the destination host can be sent via the new route.
For instance in an ideal setup, a host on a subnet will have a default route configured and all the packets are sent to the default router which takes care of the routing. In the following setup, Host A has Router A as the default Gateway.
In the following setup, when Host A wants to send a packet to Host B
Host A sends a packet for Host B to Router A
Router A receives the packet and checks its routing table and forwards the packet to the next hop router Router B.
Router A also finds its "OUT" interface and Router B "IN" interface are in the same subnet as that of the Host A. It only makes sense that the optimal route for Host A to Host B will be through Router B
Router A now sends an ICMP Redirect (ICMP type 5) message back to Host A indicating the alternate route and to send subsequent packets for Host B to Router B and forwards the current packet to the next hop router.
Host A adds a static host route for Host B with Router B as the next hop router and the subsequent packets are sent to Router B.
The ICMP Redirect message is a type 5 ICMP message with one of the following codes:
0 – Redirect Datagrams for Network
1 – Redirect Datagram for Host
2 – Redirect Datagram for Service and the Network
3 – Redirect Datagram for Service and the Host
The codes 0 and 2 are depreciated and made obsolete and hence are the ICMP Network Redirects and only code 1 and 3 are used. Hence, ICMP Redirects are ICMP Host Redirects.
For a gateway router configured to send ICMP redirects, to send an ICMP Redirect message,
- the incoming packet should not have a Soure Route option (RFC1812)
- the incoming and outgoing interface for the packet on the router should be the same (RFC1812)
- the Source IP on the packet should be on the same IP Network or subnet of the next hop address (RFC1812)
- the route for the outgoing message should not be an ICMP redirect or a default route
On the other hand, according to RFCs a host or a device which is not acting as a router or a gateway,
- should be able to accept ICMP redirect messages (RFC1122)
- should not send a ICMP Redirect messages (RFC1122)
- should update its routing table of the new host route as advised by the ICMP Redirect message if the new router or gateway is on the directly connected network and is received from the current router or gateway for the destination
Also according to RFCs, a device acting as a Gateway or a Router,
- should discard a ICMP redirect message it receives, if the new gateway or router specified is not in the same IP network or subnet on which it received the redirect message (RFC1122)
- a router can ignore the ICMP redirect message if it is running a Routing protocol (RFC1812)
- a router can ignore the ICMP redirect message if forwarding is enabled on the router and/or on the interface on which the packet is being sent (RFC1812)
ICMP Redirects are not the very efficient way to update a host table of efficient routes as it can easily fill up a hosts routing table to cause performance issues. Also, can be used by a malicious hacker to launch a Denial of Service Attack on a host on the network using a properly crafted redirect packet to inject malicious routes into the hosts routing table, with very little knowledge of the network itself.