IP Redirect or IP Proxy-arp

Unanswered Question
Oct 17th, 2007

Hello Experts,

We have a issue of disabling ip redirect/ip proxy-arp.

As a security measure, as soon as we disabe the ip redirect/ip proxy-arp some of the devices lost connection.

Case 1: A router fa0/0 connected to a switch fa 0/24. The switch is a layer 2 device with wrong default-gateway configured. It lost connectivity when the ip proxy-arp is removed from the router fa0/0 interface.

In other scenario, the ip devices (Servers etc.) with wrong default-gateway lost connection when ip redirect is removed. (or ip proxy-arp is removed, not sure, because both are removed)

How these can be confirmed?

How long the ip redirect cache is kept? What tests we can do to confirm?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Kevin Dorrell Wed, 10/17/2007 - 10:18

I think in both of these cases you lost connectivity because of the loss of proxy ARP. Aren't those precisely the cases you want to catch with your security measures?

Let's look at the host devices. If the switch had the wrong default-gateway configured, then for anything off net it would have ARPed for what it thought was the gateway. If the router had proxy ARP and a route to that address, then it would give its own MAC address.

Kevin Dorrell

Luxembourg

Richard Burts Wed, 10/17/2007 - 14:06

Aminul

I agree with Kevin in his analysis. Clearly in case 1 the switch with the incorrect default gateway was working because it was ARPing for its configured default-gateway and the router was responding. The description of case 2 is not quite as clear but I believe that Kevin is correct that the issue with the servers was not ip redirect but was proxy-arp.

And I think that Kevin makes a good point. If you implemented the change as part of improving the security policy then the loss of connectivity is part of the cost of improving the security posture. When the switches and the server are correctly configured the network will work and will be more secure.

If you want to confirm it I would suggest that you enable proxy-arp and see if things work again. And I am confident that they will.

I do not understand your question about:

How long the ip redirect cache is kept?

there is no cache of redirect. If a router receives a packet to forward and it forwards it back out the same interface then it generates a redirect. There is no cache of redirect messages.

HTH

Rick

Kevin Dorrell Wed, 10/17/2007 - 17:16

Rick,

I think Aminul must be referring to the redirect cache on the host side. As you say, if a router receives a packet to forward and it forwards it back out the same interface then it generates an ICMP redirect back to the sender. (Unless disabled.) "OK, I'll forward your packet, but could you please send it elsewhere next time."

It is up to the original sender host what he does with the ICMP redirect. Some, for valid security reasons, will ignore it and carry on sending through the router. Others will keep the ICMP information, and forward future packets to the new temporary gateway. But how long the host keeps that information is entirely up to itself.

If a router is acting as a host and it gets an ICMP redirect, what does it do? The answer is that it does take note of the redirect, and keeps it in a cache. I don't know for how long, and I don't know if you can disable that. But you can see the cache with show ip redirects

The host-side behavior is one of those features that is not well documented, and should have more geek-knobs, like cache time, enable/disable, etc.

About proxy arp, I have always felt that it could benefit for a couple of extra features. Like an access-list to control who I will proxy on behalf of, and/or to control who I will give a proxy ARP reponse to.

Kevin Dorrell

Luxembourg

Actions

This Discussion