|
My 2211 appears to sometimes forge traffic from other hosts in
order to hijack a TCP connection and redirect it to itself. I
guess somebody thinks it’s a good idea to hijack traffic if the
connection to the Internet is down?
This behavior is just plain wrong. There are well-specified
ways for a router to handle the case when it is unable to route
packets to a destination. Forging traffic from an unreachable
destination definitely isn’t one of them. Replying with a
destination unreachable ICMP packet is the right thing to
do. I’m a bit shocked that the engineeers at Ruckus don’t know
that, it’s specified pretty clearly in RFC1812 Requirements
for IP Version 4 Routers>
4.3.3.1 Destination Unreachable
If a router cannot forward a packet because it has no routes
at all (including no default route) to the destination
specified in the packet, then the router MUST generate a
Destination Unreachable, Code 0 (Network Unreachable) ICMP
message. If the router does have routes to the destination
network specified in the packet but the TOS specified for
the routes is neither the default TOS (0000) nor the TOS of
the packet that the router is attempting to route, then the
router MUST generate a Destination Unreachable, Code 11
(Network Unreachable for TOS) ICMP message.
Note that’s a “MUST” not a “MAY”.
Forging traffic causes all sorts of problems for clients that
don’t expect that sort of thing. Just dropping the packet or
leaving it in the queue would be better than forging traffic—
at least the client would time out rather than receiving forged
data.
How do I disable the traffic forging, connection hijacking
“feature” and get the 2211 to handle this situation correctly?
—
Grant Edwards
|
2 post(s),
2 voice(s)
Grant
10 post(s)
csannedhi
Administrator
71 post(s)