Over the last few weeks several people have asked me about routes that mysteriously appear and then disappear. For example

route print

Default Gateway: 10.10.10.1

Network Address  Gateway Address  Subnet Mask      Redirect       Life
172.16.0.0       10.10.10.172     255.255.0.0
Figure 1 – original routing table

And then

route print

Default Gateway: 10.10.10.1

Network Address  Gateway Address  Subnet Mask      Redirect      Life
172.16.0.0       10.10.10.172     255.255.0.0
172.16.1.2                        255.255.255.255  10.10.10.254  5 mins
Figure 2 – dynamic route added

And 5 minutes later

route print

Default Gateway: 10.10.10.1

Network Address  Gateway Address  Subnet Mask      Redirect       Life
172.16.0.0       10.10.10.172     255.255.0.0
Figure 3 – dynamic route deleted

These dynamic routes are added when the STCP stack receives an ICMP redirect message from one router telling it to use a different router. As indicated by the display the routes have a 5 minute lifetime so after 5 minutes they are deleted. Of course they can come back immediately if the stack receives another redirect message.

To describe the process in detail; let’s say that STCP is defined with a route to the 172.16.0.0/16 network through the router 10.10.10.172. In addition, there is another router on the network with the IP address 10.10.10.254. I’ll refer to these routers as R-172 and R-254. Both R-172 and R-254 can reach the 172.16.0.0/16 network but R-172 uses a high bandwidth T3 connection while R-254 uses a low bandwidth dial up ISDN link.

The STCP routes look like figure 1 above, note that the there is no explicit route using R-254.

When R-172’s T3 link goes down it can no longer reach the 172.16.0.0/16 network but it knows that R-254 can so when a packet comes in for 172.16.1.2 it forwards the packet to R-254 and also sends an ICMP redirect message back to the sender. The sender, STCP in this case, builds a dynamic host route indicating that to reach 172.16.1.2 it needs to send the packet to R-254, figure 2.

Since these are host routes every host on the 172.16.0.0/16 network that is sent a packet will get its own route with its own 5 minute timer. The route command shows the current remaining lifetime for each route.

route print

Default Gateway: 10.10.10.1

Network Address  Gateway Address  Subnet Mask      Redirect      Life
172.16.0.0       10.10.10.172     255.255.0.0
172.16.1.1                        255.255.255.255  10.10.10.254  5 mins
172.16.1.8                        255.255.255.255  10.10.10.254  2 mins
172.16.1.23                       255.255.255.255  10.10.10.254  2 mins
172.16.1.65                       255.255.255.255  10.10.10.254  2 mins
172.16.1.101                      255.255.255.255  10.10.10.254  3 mins
172.16.1.200                      255.255.255.255  10.10.10.254  5 mins
Figure 4 – multiple host routes

When R-172’s T3 link comes up what should happen is that hosts that do not have a host route use R-172 as it nothing ever happened. Those hosts with a host route use R-254 which knows that R-172’s link is back up (routers exchange route status with each other) and so forwards the packet to R-172. R-254 should also send an ICMP redirect back to the sender resulting is a new host route using R-172 (figure 5).

route print

Default Gateway: 10.10.10.1

Network Address  Gateway Address  Subnet Mask      Redirect      Life
172.16.0.0       10.10.10.172     255.255.0.0
172.16.1.9                        255.255.255.255  10.10.10.172  3 mins
172.16.1.18                       255.255.255.255  10.10.10.172  4 mins
172.16.1.20                       255.255.255.255  10.10.10.172  2 mins
Figure 5 – host routes redirected back to original router

Under some conditions it may make sense for STCP not to create any dynamic routes. For example, what if R-254 is down and R-172’s information is a static entry that was never removed. In that case packets to hosts on the 172.16.0.0/16 network just get dropped when R-254 can’t be reached. When R-172’s T3 comes back up you have the situation that those 172.16.0.0/16 hosts without a host route are reachable but those with the R-254 host route are not. Over time as the R-254 routes timeout more and more hosts will be reachable but it will take 5 minutes to fully recover.

Some security experts also view the dynamic routes created in this way to be a security issue. Any host on the network can send an ICMP redirect message, redirecting packets to a different gateway, one where packets with sensitive content like, passwords, or account information can be captured.

So is there a way to prevent these routes from being created?

Yes, the STCP configuration parameter listen_redirects controls how STCP handles ICMP redirect messages. The default setting “on” tells STCP to create these dynamic routes, the setting “off” tells STCP to ignore ICMP redirect messages.

as:  list_stcp_params listen_redirects

listen to ICMP redirects [off/on]           (listen_redirects)      on 

as:  set_stcp_param listen_redirects off

Changing listen to ICMP redirects (listen_redirects)
from on to off
Figure 6 – setting the listen_redirect STCP parameter

Note that this parameter affects the system as a whole, you cannot specify that STCP should listen to redirects from some routers but not others.