October 19, 2018

CCIE Security v5 :: ICMP Redirects

(Last Updated On: 16th January 2018)

Today I wanted to share my CCIE Security notes on ICMP redirect messages.

ICMP Redirection is used to notify hosts that a better route is available for packets destined for a specific destination. This feature is available and enabled by default on all Cisco IOS releases but it is worth mentioning that there may be cases when ICMP redirection is disabled. Before diving into the details, it is important to note that ICMP redirection is disabled on interfaces that are running HSRP, this is the case for devices running pre-IOS 12.1(3) code. Cisco devices running post 12.1(3) code can still send ICMP redirect messages when HSRP is enabled on an interface.





Certain conditions need to be met in order for ICMP redirection to occur, these are as follows:

  • The router interface in which the packet arrives must be the same interface that the packet is re-routed out of, we will discuss this further later in this post
  • The packet is not source-routed, by this we mean the sender has not specified the route of the packet in the IP header
  • The subnet/network of the source IP is on the same network as the next hop

It is also worth mentioning that ICMP redirect is enabled by default but if you are investigating ICMP redirect on a production network, it may have been disabled with the following command:

(config)#no ip icmp redirect

 

Below is a topology I created to demonstrate ICMP redirection, all command output for devices will be shown below.

Main Network: 172.16.1.0/24

Host2 to R2 Network: 192.168.1.0/24

 

 

Before we take a look at the configuration, lets first take a look at the packet flow in more detail by referring to the arrows in the topology below.

 

  • When a packet is sent from the HOST with a destination of HOST2, the packet is sent to the default gateway of R1 (Black Arrow) and then when the packet has to be forwarded back out of the same interface to reach the destination, R1 sends an ICMP redirect message to HOST to notify HOST that a better route exists to reach the destination (Red Arrow). The ICMP redirect message tells HOST to use R2 as the next-hop IP address to reach HOST2 destination (Blue Arrow).

 

Below are the debug messages from R1 when HOST sends packets to HOST2

The redirect message from R1 is sent to HOST (172.16.1.5) when traffic is destined for HOST2 (192.168.1.2), you can also see that R1 tells HOST to use R2 (172.16.1.2) as the gateway.

Depending on your environment and configuration, you may or may not have ICMP redirect enabled, it is important to point out that ICMP redirect can be used by attackers as a man-in-the-middle to change the flow of traffic, which is why this feature is disabled in some environments. This feature often compliments static routing environments over dynamic routing environments where routes can be dynamically determined.

Summary of configurations

HOST(config)#do show run

!

hostname HOST

!

interface FastEthernet0/0

ip address 172.16.1.5 255.255.255.0

duplex full

!

ip route 0.0.0.0 0.0.0.0 172.16.1.1

!

end


R1(config)#do show run

!

hostname R1

!

interface FastEthernet0/0

ip address 172.16.1.1 255.255.255.0

duplex full

!

router ospf 1

network 172.16.1.0 0.0.0.255 area 0

!

end 


R2(config)#do show run

!

hostname R2

!

interface FastEthernet0/0

ip address 172.16.1.2 255.255.255.0

duplex full

!

interface FastEthernet1/0

ip address 192.168.1.1 255.255.255.0

duplex full

!

router ospf 1

network 172.16.1.0 0.0.0.255 area 0

network 192.168.1.0 0.0.0.255 area 0

!

end 


HOST2(config)#do sh run

!

hostname HOST2

!

interface FastEthernet1/0

ip address 192.168.1.2 255.255.255.0

duplex full

!

interface Ethernet2/0

ip address 192.168.2.1 255.255.255.0

duplex full

!

router ospf 1

network 192.168.1.0 0.0.0.255 area 0

network 192.168.2.0 0.0.0.255 area 0

!

end

 

Previous «
Next »

Security Solutions Consulting Engineer @ Cisco - CCNA R&S/CCNA Security, CCDA & CCNP R&S - Currently working on CCIE Security. Sharing my knowledge and passion for technology. All views are mine and NOT of my company.

Leave a Reply

Subscribe to SYNACK via Email

%d bloggers like this: