Re: Don't send icmp redirect to the same interface a forwarded packet came in on

[Christopher Zimmermann]

On 2018-05-03 Martin Pieuchot <m...@openbsd.org> wrote:
> On 02/05/18(Wed) 14:45, Christopher Zimmermann wrote:
> > On 2018-05-02 Martin Pieuchot <m...@openbsd.org> wrote:  
> > > On 02/05/18(Wed) 11:47, Christopher Zimmermann wrote:  
> > > > I just want to bring this up again. Can some network guru give me an ok
> > > > or some feedback please?    
> > > 
> > > Can you explain with words why we shouldn't send a redirect?  The
> > > comment above your diff states clearly:
> > > 
> > >   "If forwarding packet using same interface that it came in on,
> > >   perhaps should send a redirect to sender to shortcut a hop."
> > > 
> > > So you're suggesting no to do that, why?  
> > 
> > That's not exactly what I'm suggesting.
> > 
> > In this setting:
> > 
> > A 192.168.4.7 <--> 192.168.4.1 Gateway 192.168.1.1 <--> 192.168.1.2 B
> > 
> > I observed this senseless redirect:
> > 
> > 192.168.4.1 > 192.168.4.7: icmp: redirect 192.168.1.2 to host 192.168.4.1
> > in plain language it means:
> > "Hi 192.168.4.7, I'm 192.168.4.1. You sent me a packet for 192.168.1.2.
> > I'm not the best route, next time send it to 192.168.4.1."
> > So the gateway is instructing host 192.168.4.7 to use gateway
> > 192.168.4.1 instead of 192.168.4.1. (this is not a typo!)  
> 
> How does your routing table looks like?

% doas ifconfig vlan2                                                           
                                                              
vlan2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500              
                                                                              
        index 7 priority 0 llprio 3
        encap: vnetid 2 parent em2
        status: active
        inet 192.168.4.1 netmask 0xfffffff0 broadcast 192.168.4.15
% doas route -n show -inet
Routing tables

Internet:
Destination        Gateway            Flags   Refs      Use   Mtu  Prio Iface
default            62.27.93.143       UGS        5    63324     -     8 pppoe0
224/4              127.0.0.1          URS        0        0 32768     8 lo0
62.27.93.143       85.212.225.8       UHh        1        1     -     8 pppoe0
85.212.225.8       85.212.225.8       UHl        0     1589     -     1 pppoe0
127/8              127.0.0.1          UGRS       0        0 32768     8 lo0
127.0.0.1          127.0.0.1          UHhl       9     1131 32768     1 lo0
192.168.0/22       192.168.4.1        UGS        0      314     -     8 vlan2   
  <- this is the culprit
192.168.4.0/28     192.168.4.1        UCn        2        0     -     4 vlan2

You'll note I manually (Flag S) added this rather senseless route to gateway
192.268.4.1 (Flag G), which is the very same machine.
Why did I do this?
To prevent leakage of packets which should be routed via IPsec. Without this
pseudo-route packets from localhost to 192.168.0/22 would be routed via default
route on pppoe0 and have the src IP masqueraded by nat-to 85.212.225.8,
which would not be caught by the IPsec flow.

If I'm doing something wrong here and should have solved this another way
please tell me.
Using a "flow esp in from 0.0.0.0/0" would work on the local side, but the
remote side would be required to accept packets from arbitrary IPs, too.


Christopher


-- 
http://gmerlin.de
OpenPGP: http://gmerlin.de/christopher.pub
2779 7F73 44FD 0736 B67A  C410 69EC 7922 34B4 2566