Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] IPSO 3.2 and IP Redirects

To: "'Tom Sevy'" <[email protected]>, "'Daniel Hitchcock'" <[email protected]>, <[email protected]>
Subject: RE: [FW1] IPSO 3.2 and IP Redirects
From: "Jeff Hochberg" <[email protected]>
Date: Tue, 6 Mar 2001 22:41:24 -0500
Cc: "'Fw1-Wizards \(E-mail\)'" <[email protected]>, "'FWList \(E-mail\)'" <[email protected]>
Importance: Normal
In-reply-to: <BD411902A00508B8B066EAA1F81@NT310PRD>
Reply-to: <[email protected]>
Sender: [email protected]

Please take a moment to review Nokia resolution 1501:

Why don't I see ICMP redirects when using VRRP Monitored Circuit?

VRRP Monitored Circuit disabled ICMP redirects to prevent breaking the
"transparent" fail-over by introducing a non-VRRP IP address.

Before generating the ICMP redirect the following checks must pass:
1. the packet is being forwarded out the same physical interface that
it was received on.
2. the packet IP source address is on the same logical IP subnet as
the next-hop IP address.
3. the packet does not contain IP source route option.

In the case of multiple IP addresses on a single network interface, check #2
is not satisfied because the source host is not in the same IP subnet as the
nexthop (the destination host). Therefore packets must always go through the
router, even with ICMP redirects.

-Jeff Hochberg

-----Original Message-----
From: [email protected]
[mailto:[email protected]]On Behalf Of Tom
Sevy
Sent: Tuesday, March 06, 2001 10:21 AM
To: 'Daniel Hitchcock'; '[email protected]'
Cc: Fw1-Wizards (E-mail); FWList (E-mail)
Subject: RE: [FW1] IPSO 3.2 and IP Redirects



No, but I would expect the Nokia to issue a redirect to the client telling
it to use 192.168.12.1

-----Original Message-----
From: Daniel Hitchcock [mailto:[email protected]]
Sent: Tuesday, March 06, 2001 9:24 AM
To: '[email protected]'; Tom Sevy
Cc: Fw1-Wizards (E-mail); FWList (E-mail)
Subject: RE: [FW1] IPSO 3.2 and IP Redirects



Makes sense to me.  You wouldn't want clients discovering the real IP
address of any machines in a VRRP configuration, as this would negate the
failover benefits of VRRP (same as Cisco HSRP, as mentioned below).

Someone stop me if this thinking is incorrect.

Dan Hitchcock
CCNA, CCSE, MCSE
Security Analyst
Breakwater Security [email protected]
http://www.breakwatersecurity.com


-----Original Message-----
From: [email protected] [mailto:[email protected]]
Sent: Tuesday, March 06, 2001 4:22 AM
To: Tom Sevy
Cc: Fw1-Wizards (E-mail); FWList (E-mail)
Subject: Re: [FW1] IPSO 3.2 and IP Redirects



Don't know about IPSO, but given the similarity between VRRP and HSRP, this
may be a factor.  On Cisco's the activation of HSRP automatically disables
the ICMP redirect messages that the router would generate.  Maybe the same
applies?








Tom Sevy <[email protected]>@lists.us.checkpoint.com on 06/03/2001 11:59:47

Sent by:  [email protected]


To:   "Fw1-Wizards (E-mail)" <[email protected]>, "FWList
      (E-mail)" <[email protected]>
cc:
Subject:  [FW1] IPSO 3.2 and IP Redirects



If I have a local segment, 192.168.12./24, and in that segment I have
another router (192.168.12.1

Local Segment:  192.168.12.0/24

Default Gateway: 192.168.12.2 (VRRP from 2 x IP440)

Static Route in the IP440:  172.21.0.0/16 192.168.12.1 (router to other
segment)

When traffic goes from 192.168.12. via 192.168.12.2 destined for
172.21.x.x, shouldn't the IPSO issue an IP redirect for the correct route?
I'm not seeing this when I sniff this scenario.

Any thoughts?  Suggestions?



============================================================================
====

     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====





============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- RE: [FW1] IPSO 3.2 and IP Redirects
  - From: Tom Sevy <[email protected]>

Prev by Date: [FW1] CVP's design problem
Next by Date: RE: [FW1] Secure Client and NAT
Previous by thread: RE: [FW1] IPSO 3.2 and IP Redirects
Next by thread: [FW1] ldap group authentication
Index(es):
- Date
- Thread