a trace route from PC-1 shows that the path always includes R1
Router as a Host option
in this test, we emulate the operation of a host on router R2 by simply disabling routing.
Let’s disable ip routing on R2 so emulate the function of a host, and configure a default gateway towards R1, and see
Let’s do our ping test and check if the redirection is installed to optimize this host trafic routing (enable it with the correct gatway over the 123.0.0.0/24 network)
Now the redirection is installed
and confirmed by packets being sent to R3 mac address directly instead of R1’s (redirect, ARP, echo request, reply)
the wireshark capture shows the packets being exchanged the change in MAC addresses.
In the next test, let’s enable nat routing to see if there’s any difference.
NAT
We enable the ip routing on R2 and configure it to NAT PC1 traffic now
in the cli output we see nat translation in action. the inside local address space is 12.0.0.0/24 is translated to the 123.0.0.0/24 inside global address space (how the outside sees the local inside subnet, that we nat).
we redo our ping test and we check using debug if redirects are still generated by R1.
R1 still sends ip redirects
But these packets do not get processed by R2 or at least the debug ip icmp returns nothing…
a debug ip nat shows that packets from R1 get Nated too
On the wire (R1 and R2 link) we check that redirects are sent from router R1 to R2 in the subnet 123.0.0.0/24
in the wireshak output we check that R2 receives an IP packet from R1 sourced from 123.0.0.1 and destined to 123.0.0.2. the ICMP data is embedded into this IP packet and indicated an ICMP type message of 5 which is redirect with code 1, redirect for host.
Traffic from R1 (redirects) gets also Nated, passes through R2!
And redirects are being received by PC-1
A regular traffic from R1 (marked by a packet size of 1500 bytes) did not get passed through R2 evenif Nat sessions are still active (which is another problem)
Need to see the RFC
Now let’s check what RFC says.
To understand our findings let’s have a walk by the RFC 792 that describes icmp redirection implementation. The RFC states clearly that:
Taking into consideration information from the RFC, here’s what happened in our network
- R1 checks the packet is coming from 123.0.0.0/24 (source ip address)
- it checks its routing table and found a better gateway towards R3
- the packet source ip and R3 fa0/0 interface are on the same subnet
- R1 sends a redirect message to R2
A full redirect message received by R2 is shown in this figure:
As conclusion
ip icmp redirection is aimed for hosts in the same network as the gateway and not for packet with ip route source option.
