- Functional Overview
- Design Considerations
- Configuration
- Basic Management
- Summary
- Addendum - snoop of Failover
- Addendum – The Problem With ping
Like this article? We recommend
Like this article? We recommend
Like this article? We recommend
Addendum – The Problem With ping
There is a problem with ping and IP network multipathing between Solaris OE version 8 update 2 (10/00) and Solaris OE version 8 update 4 (04/01). The problem has been fixed in Solaris OE version 8 update 5 (07/01) and later. If the router discovery daemon (in.rdisc) is running, this problem does not present itself. However, if in.rdisc is not running—for example, if an /etc/defaultrouter file was created—the following ICMP messages appear if the data address in an IP Mutlipathing group is sent a ping request (not necessarily on the first attempt):
ICMP Protocol Unreachable from gateway camelot (192.168.49.42) for icmp from clusterclient00 (192.168.49.4) to camelot (192.168.49.42) 192.168.49.42 is alive
To a degree, this is a cosmetic problem. The ICMP Echo request (ping) has generated an ICMP Echo reply. However, in advance of the reply, it has also generated an ICMP Protocol Unreachable response. If the exit status of a ping command is queried, then a success would be determined. But this is not the case for all varieties of the ping command. For example, using the ping command under Windows 98, it reports that the destination is unreachable. This would be somewhat confusing, because the destination is indeed reachable.
There are basically three approaches to dealing with this problem, which are listed below:
Ensure that in.rdisc is running either by not creating an /etc/defaultrouter file or by starting up in.rdisc by some other means. To ensure in.rdisc is running, an example startup script could be created. An example of such a startup script is provided at the end of this section.
It should be pointed out that in.rdisc is a potential security issue; hence, this solution may not be acceptable in all situations. The router discovery daemon is an implementation of dynamic routing that uses ICMP router discovery.
The following is extracted from a Sun BluePrints OnLine article by Keith Watson and Alex Noordergraaf entitled Solaris Operating Environment Network Settings for Security, Updated for Solaris 8 Operating Environment (December 2000) located at http://www.sun.com/blueprints/1200/network-updt1.pdf. It explains the potential security pit-falls of dynamic routing.
"There are several problems with dynamic routing that attackers can use to initiate denial of service attacks or view packet data from inaccessible systems. First, routing information can be forged. Routing information is typically sent through broadcast or multicast packets. An attacker can generate routing information packets claiming to be from a router and send them out to hosts or routers. These packets can direct hosts to send packets to a system that is not a router or to a busy router that cannot handle the increase in traffic. Misconfigured routers generate their own denial of service problems. A more sophisticated attack involves directing packets through a multihomed system to examine the packet data as it flows across this system, which now functions as a router. The attacker sends forged routing information packets to a router claiming a lower hop count metric to a destination network that the attacker cannot access. The target router then routes packets through the compromised system allowing the attacker to examine the traffic."
Ignore the ICMP message that affects only the ping command, it could be viewed as superfluous. Beware of those versions of the ping command that report only the first message returned, this is an error message and may cause the ping command to report the destination as unreachable. Hence, this solution may not be applicable in all situations.
Avoid sending ping requests to the data addresses and send them to the test addresses instead.
Starting in.rdisc By Other Means
The configuration of the network routing tables and default routes is handled automatically by the router discovery daemon (in.rdisc).
If routes are defined in the /etc/defaultrouter file, the in.rdisc daemon will not be started in the /etc/rc2.d/S69inet file and will lead to ICMP messages being generated as follows, when the node is sent a ping request (not necessarily on the first ping):
ICMP Protocol Unreachable from gateway camelot (192.168.49.42)for icmp from clusterclient00 (192.168.49.4) to camelot (192.168.49.42)
Additionally, in.rdisc will fail to start if a working data address is not present at boot time (because it is started with the -s flag in /etc/rc2.d/S69inet).
To ensure that in.rdisc is started under all circumstances, create an additional startup script called /etc/init.d/rdisc. Create a hard link between this script and an appropriate file name in the startup directory. This determines at which point the script is run during the boot sequence. In this instance, the link would be created as follows:
# ln /etc/init.d/rdisc /etc/rc2.d/S70rdisc
The following is an example shell script that the file /etc/init.d/rdisc could contain to ensure the startup of the in.rdisc daemon:
#!/sbin/sh
#
#
# If parameter 1 is "start" then check if the router discovery
# daemon, in.rdisc, is running and if not, start it. If parameter 1
# is "stop" then stop in.rdisc
#
case "$1" in
'start')
if [ -x /usr/bin/pgrep ]
then
/usr/bin/pgrep -x -u 0 in.rdisc >/dev/null 2>&1 ||
/usr/sbin/in.rdisc -f >/dev/msglog 2>&1
else
logger Cannot execute /usr/bin/pgrep, in.rdisc not started.
fi
;;
'stop')
/usr/bin/pkill -x -u 0 in.rdisc
;;
*)
echo "Usage: $0 { start | stop }"
;;
esac
exit 0
Ordering Sun Documents
The SunDocsSM program provides more than 250 manuals from Sun Microsystems, Inc. If you live in the United States, Canada, Europe, or Japan, you can purchase documentation sets or individual manuals through this program.
Accessing Sun Documentation Online
The docs.sun.com web site enables you to access Sun technical documentation online. You can browse the docs.sun.com archive or search for a specific book title or subject. The URL is http://docs.sun.com/
To reference Sun BluePrints OnLine articles, visit the Sun BluePrints OnLine Web site at: http://www.sun.com/blueprints/online.html