Thu Mar 19 09:53:50 EDT 2015 Slept well. Got to work on time. Goals: Work: - Read up on routing issue with second gateway Done! - Move more VPN's Done. Home: - Work on S&W Complete re-typeset Done. - Laundry Done. Questions: - How does any given node find out about new routes? If I have multiple gateways on my network, and some remote hosts are only reachable through a particular gateway, or the best gateway to a host changes, how does my machine find that out or decide what entries to add to its route cache? Linux kernel 3.6+ made a major change to route lookups (a route cache, as such, is no longer used). Wait... ICMP... is Internet Control Message Protocol. Maybe it's not just for ping? Hmm. I have a vague memory of this.... http://tools.ietf.org/html/rfc1122#page-47 http://tools.ietf.org/html/rfc1122#page-48 3.3.1.2 Gateway Selection To efficiently route a series of datagrams to the same destination, the source host MUST keep a "route cache" of mappings to next-hop gateways. A host uses the following basic algorithm on this cache to route a datagram; this algorithm is designed to put the primary routing burden on the gateways [IP:11]. (a) If the route cache contains no information for a particular destination, the host chooses a "default" gateway and sends the datagram to it. It also builds a corresponding Route Cache entry. (b) If that gateway is not the best next hop to the destination, the gateway will forward the datagram to the best next-hop gateway and return an ICMP Redirect message to the source host. (c) When it receives a Redirect, the host updates the next-hop gateway in the appropriate route cache entry, so later datagrams to the same destination will go directly to the best gateway. Since the subnet mask appropriate to the destination address is generally not known, a Network Redirect message SHOULD be treated identically to a Host Redirect message; i.e., the cache entry for the destination host (only) would be updated (or created, if an entry for that host did not exist) for the new gateway. $ ping 10.0.40.1 PING 10.0.40.1 (10.0.40.1) 56(84) bytes of data. From 10.0.0.1: icmp_seq=1 Redirect Host(New nexthop: 10.0.0.25) 64 bytes from 10.0.40.1: icmp_seq=1 ttl=63 time=29.6 ms From 10.0.0.1: icmp_seq=2 Redirect Host(New nexthop: 10.0.0.25) 64 bytes from 10.0.40.1: icmp_seq=2 ttl=63 time=24.2 ms From 10.0.0.1: icmp_seq=3 Redirect Host(New nexthop: 10.0.0.25) 64 bytes from 10.0.40.1: icmp_seq=3 ttl=63 time=24.8 ms From 10.0.0.1: icmp_seq=4 Redirect Host(New nexthop: 10.0.0.25) 64 bytes from 10.0.40.1: icmp_seq=4 ttl=63 time=28.1 ms ^C --- 10.0.40.1 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 2999ms rtt min/avg/max/mdev = 24.295/26.744/29.697/2.257 ms $ $ ip r get 10.0.40.1 10.0.40.1 via 10.0.0.1 dev br0 src 10.0.0.76 cache $ $ sudo sysctl net.ipv4.conf.all.accept_redirects net.ipv4.conf.all.accept_redirects = 0 $ sudo sysctl net.ipv4.conf.all.accept_redirects=1 net.ipv4.conf.all.accept_redirects = 1 $ ping 10.0.40.1 PING 10.0.40.1 (10.0.40.1) 56(84) bytes of data. 64 bytes from 10.0.40.1: icmp_seq=1 ttl=63 time=24.3 ms 64 bytes from 10.0.40.1: icmp_seq=2 ttl=63 time=23.0 ms 64 bytes from 10.0.40.1: icmp_seq=3 ttl=63 time=21.5 ms ^C --- 10.0.40.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2002ms rtt min/avg/max/mdev = 21.543/22.984/24.381/1.165 ms $ $ ip ro get 10.0.40.1 10.0.40.1 via 10.0.0.25 dev br0 src 10.0.0.76 cache Good. It's still weird not to have a route cache to examine in linux. NOTE: `net.ipv4.conf.all.secure_redirects = 1` causes linux to only accept ICMP redirects sent by the default gateway. This is probably preferred in most environments. However, I'm not sure this should be used instead of or in addition to `sysctl net.ipv4.conf.all.accept_redirects`. Hmm. It looks like it's turned on already on my machine, so it must be _in addition to_, or else it was automatically turned on when I enabled accept_redirects, or else I have/had some other complicating problem. Changes need to be added to `/etc/sysctl.conf` to persist across reboots. UPDATE: I just checked another box running Jessie, and 'net.ipv4.conf.all.accept_redirects' is enabled (which I presume that it is by default). I'm not sure what happened to the first box to disable it. Further update: configuring UFW with `gufw` switched off 'net.ipv4.conf.all.accept_redirects'. Further further update: the file '/etc/ufw/sysctl.conf' also has settings for accept_redirects, and ufw seems to use these to *override* settings in '/etc/sysctl.conf'. I'm thinking about getting rid of ufw.