221 lines
4.6 KiB
HTML
221 lines
4.6 KiB
HTML
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>The Internet Control Message Protocol</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.57"><LINK
|
|
REL="HOME"
|
|
TITLE="Linux Network Administrators Guide"
|
|
HREF="index.html"><LINK
|
|
REL="UP"
|
|
TITLE="Issues of TCP/IP Networking"
|
|
HREF="x-087-2-issues.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="IP Routing"
|
|
HREF="x-087-2-issues.routing.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="Resolving Host Names"
|
|
HREF="x-087-2-issues.resolving.html"></HEAD
|
|
><BODY
|
|
CLASS="SECT1"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>Linux Network Administrators Guide</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="x-087-2-issues.routing.html"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
>Chapter 2. Issues of TCP/IP Networking</TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="x-087-2-issues.resolving.html"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="SECT1"
|
|
><H1
|
|
CLASS="SECT1"
|
|
><A
|
|
NAME="X-087-2-ISSUES.ICMP"
|
|
>2.5. The Internet Control Message Protocol</A
|
|
></H1
|
|
><P
|
|
>
|
|
IP has a companion protocol that we haven't talked about yet. This is
|
|
the <I
|
|
CLASS="EMPHASIS"
|
|
>Internet Control Message Protocol</I
|
|
> (ICMP),
|
|
used by the kernel networking code to communicate error messages to
|
|
other hosts. For instance, assume that you are on <SPAN
|
|
CLASS="SYSTEMITEM"
|
|
>erdos</SPAN
|
|
> again and want to
|
|
<B
|
|
CLASS="COMMAND"
|
|
>telnet</B
|
|
> to port 12345 on <SPAN
|
|
CLASS="SYSTEMITEM"
|
|
>quark</SPAN
|
|
>, but there's no process listening
|
|
on that port. When the first TCP packet for this port arrives on
|
|
<SPAN
|
|
CLASS="SYSTEMITEM"
|
|
>quark</SPAN
|
|
>, the networking layer
|
|
will recognize this arrival and immediately return an ICMP message to
|
|
<SPAN
|
|
CLASS="SYSTEMITEM"
|
|
>erdos</SPAN
|
|
> stating “Port
|
|
Unreachable.”</P
|
|
><P
|
|
>
|
|
|
|
|
|
The ICMP protocol provides several different messages, many of which
|
|
deal with error conditions. However, there is one very interesting
|
|
message called the Redirect message. It is generated by the routing
|
|
module when it detects that another host is using it as a gateway,
|
|
even though a much shorter route exists. For example, after booting, the
|
|
routing table of <SPAN
|
|
CLASS="SYSTEMITEM"
|
|
>sophus</SPAN
|
|
> may be
|
|
incomplete. It might contain the routes to the Mathematics network, to the
|
|
FDDI backbone, and the default route pointing at the Groucho Computing
|
|
Center's gateway ( gcc1). Thus, packets for <SPAN
|
|
CLASS="SYSTEMITEM"
|
|
>quark</SPAN
|
|
> would be sent
|
|
to <SPAN
|
|
CLASS="SYSTEMITEM"
|
|
>gcc1</SPAN
|
|
> rather than to
|
|
<SPAN
|
|
CLASS="SYSTEMITEM"
|
|
>niels</SPAN
|
|
>, the gateway to the Physics
|
|
department. When receiving such a datagram,
|
|
<SPAN
|
|
CLASS="SYSTEMITEM"
|
|
>gcc1</SPAN
|
|
> will notice that this is a poor
|
|
choice of route and will forward the packet to
|
|
<SPAN
|
|
CLASS="SYSTEMITEM"
|
|
>niels</SPAN
|
|
>, meanwhile returning an
|
|
ICMP Redirect message to <SPAN
|
|
CLASS="SYSTEMITEM"
|
|
>sophus</SPAN
|
|
> telling it of the superior route.</P
|
|
><P
|
|
>This seems to be a very clever way to avoid manually setting up any
|
|
but the most basic routes. However, be warned that relying on dynamic
|
|
routing schemes, be it RIP or ICMP Redirect messages, is not always a
|
|
good idea. ICMP Redirect and RIP offer you little or no choice in
|
|
verifying that some routing information is indeed authentic. This
|
|
situation allows malicious good-for-nothings to disrupt your entire
|
|
network traffic, or even worse. Consequently, the Linux networking
|
|
code treats Network Redirect messages as if they were Host Redirects.
|
|
This minimizes the damage of an attack by restricting it to just one
|
|
host, rather than the whole network. On the flip side, it means that a
|
|
little more traffic is generated in the event of a legitimate
|
|
condition, as each host causes the generation of an ICMP Redirect
|
|
message. It is generally considered bad practice to rely on ICMP
|
|
redirects for anything these days.</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="x-087-2-issues.routing.html"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="x-087-2-issues.resolving.html"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>IP Routing</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="x-087-2-issues.html"
|
|
>Up</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>Resolving Host Names</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |