ICMP Redirects

Today I wanted to share my CCIE Security notes on ICMP redirect messages.

ICMP Redirection is used to notify hosts that a better route is available for packets destined for a specific destination. This feature is available and enabled by default on all Cisco IOS releases but it is worth mentioning that there may be cases when ICMP redirection is disabled. Before diving into the details, it is important to note that ICMP redirection is disabled on interfaces that are running HSRP, this is the case for devices running pre-IOS 12.1(3) code. Cisco devices running post 12.1(3) code can still send ICMP redirect messages when HSRP is enabled on an interface.
Certain conditions need to be met in order for ICMP redirection to occur, these are as follows:
  1. The router interface in which the packet arrives must be the same interface that the packet is re-routed out of, we will discuss this further later in this post
  2. The packet is not source-routed, by this we mean the sender has not specified the route of the packet in the IP header
  3. The subnet/network of the source IP is on the same network as the next hop
It is also worth mentioning that ICMP redirect is enabled by default but if you are investigating ICMP redirect on a production network, it may have been disabled with the following command:
(config)#no ip icmp redirect
Below is a topology I created to demonstrate ICMP redirection, all command output for devices will be shown below.
 
Main Network: 172.16.1.0/24
Host2 to R2 Network: 192.168.1.0/24
Before we take a look at the configuration, lets first take a look at the packet flow in more detail by referring to the arrows in the topology below.
  1. When a packet is sent from the HOST with a destination of HOST2, the packet is sent to the default gateway of R1 (Black Arrow) and then when the packet has to be forwarded back out of the same interface to reach the destination, R1 sends an ICMP redirect message to HOST to notify HOST that a better route exists to reach the destination (Red Arrow). The ICMP redirect message tells HOST to use R2 as the next-hop IP address to reach HOST2 destination (Blue Arrow).
Below are the debug messages from R1 when HOST sends packets to HOST2
The redirect message from R1 is sent to HOST (172.16.1.5) when traffic is destined for HOST2 (192.168.1.2), you can also see that R1 tells HOST to use R2 (172.16.1.2) as the gateway.
Depending on your environment and configuration, you may or may not have ICMP redirect enabled, it is important to point out that ICMP redirect can be used by attackers as a man-in-the-middle to change the flow of traffic, which is why this feature is disabled in some environments. This feature often compliments static routing environments over dynamic routing environments where routes can be dynamically determined.

Summary of configurations

HOST(config)#do show run!hostname HOST ! interface FastEthernet0/0 ip address 172.16.1.5 255.255.255.0 duplex full 
! 
ip route 0.0.0.0 0.0.0.0 172.16.1.1
!
end
R1(config)#do show run!hostname R1
!
interface FastEthernet0/0 ip address 172.16.1.1 255.255.255.0 duplex full
!
router ospf 1 network 172.16.1.0 0.0.0.255 area 0
!
end R2(config)#do show run ! hostname R2
!
interface FastEthernet0/0 ip address 172.16.1.2 255.255.255.0 duplex full
!
interface FastEthernet1/0 ip address 192.168.1.1 255.255.255.0 duplex full
!
router ospf 1 network 172.16.1.0 0.0.0.255 area 0 network 192.168.1.0 0.0.0.255 area 0
!
end HOST2(config)#do sh run!hostname HOST2
!
interface FastEthernet1/0 ip address 192.168.1.2 255.255.255.0 duplex full
!
interface Ethernet2/0 ip address 192.168.2.1 255.255.255.0 duplex full
!
router ospf 1 network 192.168.1.0 0.0.0.255 area 0 network 192.168.2.0 0.0.0.255 area 0
! 
end

Popular Posts

Capturing EAPOL and RADIUS Using Wireshark

Configuring Cisco Smart License Software

Cisco :: FXOS Authentication Using TACACS

Configuring Remote Access VPN on Firepower

Kali Linux :: CAM Table Overflow Attack Demonstration