Routing Issues
Prepared by Scott R. Hogg
Network Systems Consultant
Introduction:
There are times when you may want to create a redundant configuration for hosts on TCP/IP segments. This can sometimes be accomplished by putting multiple network cards into the host and attaching these to different network segments. When this is done, the host is then known as being "multi-homed". This is the subject that this document is going to address.
This network is also going to discuss a situation where you want redundant routers to provide connectivity for hosts on a single segment. We will address issues related to how hosts will be able to fail-over to redundant routers on a single segment.
Consider the diagram below. It illustrates hosts that are connected to segment that have multiple routers and also a host that has connections to two segments. We will use this diagram to describe the issues related to multi-homed hosts and multiple redundant routers.
The diagram above shows two segments (segment 1 and segment 2) which have two routers connected to them. The hosts on segment 2 have the option of which router to use as their default gateway. If both of them use the same router as their default gateway and that router fails, then those hosts are isolated. In other words, using only a single default gateway can cause problems if that gateway’s IP address is unavailable.
Host B is illustrated as having two connections to each network segment. There are also issues involved with how that host should be configured to make the most of its dual-homed status. It is configured with Router C as its default gateway. There are considerations about how it will be able to communicate with Segment 3.
This document will discuss some alternatives to solving some of these problems. This paper will then analyze the alternatives and try to draw comparisons and finally make suggestions for configurations.
Alternatives:
Multiple Default Gateways:
One option to help Host C and Host D gain the benefits of redundancy and fail-over would be to configure these hosts with multiple default routers. Each end system would have to support the configuration of multiple default routers and a method of switching between them when the failure of the primary router is detected. When the first default-router would be used and found to be inactive, the host would then switch over to using its backup (second) default router. There is a delay involved in the sensing the first default-gateway has failed, and time to switch over to using the backup. Some operating systems do not support this, but a large majority do.
ICMP Router Discovery Protocol (IRDP):
IRDP (RFC 1256) is based on ICMP messages being multicast from all routers on a LAN segment. Hosts C and D would hear these multicasts and learn the presence of the routers and its priority relative to the priorities of the other routers on the same segment. When an end system boots, a separate ICMP message is used to request that all routers announce themselves to the LAN. End systems which implement IRDP also conform to the host requirements standards, which require them to look for alternate routes if TCP connections become stalled. While this is an Internet standard, it is only implemented in relatively new and featureful IP implementations. Many operating systems, however do not support it natively and would need to be retrofitted with this capability. The IRDP host software is freely available to be compiled for many OS versions.
ICMP Redirects:
An ICMP Redirect tells the recipient system to over-ride something in its routing table. It is legitimately used by routers to tell hosts that the host is using a non-optimal or defunct route to a particular destination, i.e. the host is sending it to the wrong router. An example of this would be if Host A was trying to contact its default gateway (Router C) to get to Segment 3. Router C would know that the proper router for Host A to send that packet to would be Router B. The wrong router sends the host back an ICMP Redirect packet that tells Host A what the correct route should be. If you can forge ICMP Redirect packets, and if your target host pays attention to them, you can alter the routing tables on the host and possibly subvert the security of the host by causing traffic to flow via a path the network manager didn't intend. ICMP Redirects also may be employed for denial of service attacks, where a host is sent a route that loses it connectivity, or is sent an ICMP Network Unreachable packet telling it that it can no longer access a particular network. Many firewall builders screen ICMP traffic from their network, since it limits the ability of outsiders to ping hosts, or modify their routing tables. ICMP redirects are sent by a router if the following conditions are met:
Proxy ARP:
By default, Cisco routers will reply to IP ARP requests made for off-net destinations for which they have routes. For this mechanism to be effective, the end systems must have their IP subnet mask configured to treat all off-net destinations as if they were attached to the local network. For example, to reach all subnets of 128.56.0.0, one would have to use a subnet mask of 255.255.0.0. Therefore, Router B would reply to Host As request for Segment 3 and help it with its misconfiguration even though Host As default gateway is Router C. On some systems (typically Unix), a default route to the local interface will suffice to tell the system that all destinations should be treated as if they were on the attached LAN segment. The problem with this approach is that once the ARP request has been satisfied for a given destination, it is not repeated until the ARP cache entry is cleared (on Unix this is typically 20 minutes). This solution has considerable restrictions and possible security risks.
Routing Protocols on Hosts:
An alternative would be to let hosts run a routing protocol and listen passively at the reachability information that the routers are exchanging. The end systems must determine (or be configured for) the routing protocol in use on the attached LAN segment and participate in the protocol to the extent necessary to learn routes to external networks. For example, Host C and Host D could listen to the routing updates that flow between Router A and Router B to determine the best way to get to the Internet. Most typically, the RIP routing protocol is the network protocol used because participation is limited to simply listening to the updates being sent by all routers on the LAN. However, many sites are now using more modern routing protocols (OSPF or EIGRP). This implies also configuring RIP on all routers on each LAN segment just to let the end systems know about the existence of those routers. Using the default RIP timer of 30 seconds and three updates to detect a failed router yields a 90-second time to switch to the backup router. Another assumption is that all the workstations are capable of running a RIP listening process -- something that many PC-based TCP/IP implementations do not supply.
Ciscos Hot Standby Router Protocol (HSRP):
HSRP is a nifty protocol that shifts the function of selecting a backup router out of the end systems and into the network (well, into the routers). The idea is to create a "Phantom" router interface to service the high availability LAN segment. By default the two routers exchange HSRP messages every second and the standby router will take over the IP and MAC address of the "Phantom" if it does not receive at least one HSRP message every three seconds. If router A and B were configured for this protocol, they could create another IP address (2.3) that they would share to be the default gateway for Hosts C and D. Hosts C and D would point their default gateway towards 2.3. If either router failed, then the other router would pick up the task of forwarding packets for the hosts. However, one note of caution -- on access routers (4000 and 2500), the backup router's MAC address changes to that of the "Phantom" if the primary router fails. This does not adversely affect most network protocols and provides the rapid fail-over that is desired.
Static Routes:
It is possible to define static routes into hosts and not leave the forwarding of packets up to dynamic routing protocols. For example, Host B could maintain its default route to Router C and have an additional static router to Segment 3 that points to Router B. This method is often difficult to maintain and when new network address space is added to the network, then the routes will require updating. However, this method is very simple and can be easily configured regardless of the OS-type. (Both NT and UNIX hosts should support this natively.)
Analysis:
The analysis of these alternatives should take into account the networks and their requirements.
Multiple-Default Gateways |
|
Advantage |
Simple, well-understood |
Advantage |
Common among different OSs |
Disadvantage |
Time to detect failed router and try backup |
|
|
ICMP Router Discovery Protocol (IDRP) |
|
Advantage |
Gives hosts a way to choose their default gateway |
Advantage |
IETF standard |
Disadvantage |
Required host software to listen to multicast packets |
Disadvantage |
Requires compilation of IDRP code on hosts |
|
|
ICMP Redirects |
|
Advantage |
Standard within TCP/IP most OSs support this |
Disadvantage |
Less control over hosts routing table |
Disadvantage |
Could be security vulnerability |
|
|
Proxy ARP |
|
Advantage |
No modification required to the hosts |
Disadvantage |
Major security vulnerability |
Disadvantage |
These may be limited/filtered on the routers |
|
|
Routing Protocols on Host |
|
Advantage |
Host has knowledge of internal versus external subnets |
Disadvantage |
System Administrator overhead associated with routed |
|
|
Hot Standby Router Protocol (HSRP) |
|
Advantage |
Clean no modification required for the host |
Advantage |
Allows for manual outbound load-sharing |
Disadvantage |
Requires router configuration |
Disadvantage |
Cisco proprietary protocol |
Advantage |
We have standardized on Cisco routers |
|
|
Static Routes |
|
Advantage |
Simple, well-understood |
Advantage |
Both NT and UNIX hosts can be configured this way |
Disadvantage |
Scaleability concerns number of subnets can grow |
Disadvantage |
Administrative overhead of adding new subnets |
|
|
Conclusions:
It is important to ensure that hosts are not configured as routers and forwarding packets that are contrary to a companies policies. Therefore, it is important to make sure that multi-homed hosts have disabled IP Forwarding.
After weighing the alternatives, a good method of creating redundancy for hosts would be to use multiple default gateways on single and multi-homed hosts. This is a simple and scaleable way to insure that the host is not isolated.
Therefore, we should also be looking into the use of HSRP. Since we use primarily Cisco routers, the proprietary aspects of the protocol is less of an issue.
In addition, the use static routes within the hosts should also be permitted. Even though this method has administrative overhead, it is a great way to control the routing options for hosts without having to customize the host extensively.
In a security configuration, hosts should be encouraged to be dual-homed for security and redundancy reasons. Host B should send traffic to Segment 2 directly rather than sending it to its default gateway Router C which is connected to the Internet.