ICMP Redirect Routes Override OSPF Routes (243427)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows NT Server 4.0 SP4
  • Microsoft Windows NT Server 4.0 SP5
This article was previously published under Q243427
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

SYMPTOMS

When Routing and Remote Access Services (RRAS) is configured as an autonomous system boundary router (ASBR), it does not correctly import connected interface subnet routes. Instead, it injects host routes into the Open Shortest Path First (OSPF) routes. Because the OSPF router cannot be used as an ASBR router, importing connected interface subnet routes into OSPF results in confusing routing tables with strange routing paths.

CAUSE

Internet Control Message Protocol (ICMP) redirects cause the stack to plumb host routes. These routes override the OSPF-generated routes. This, by itself, is the expected behavior. The problem, however, is that for a period of time (the period of the ICMP redirect-plumbed routes' timeout, which is ten minutes) there is a black hole for the network concerned.

RESOLUTION

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

To resolve this issue, turn off the routes being plumbed by ICMP redirects. In Windows 2000, you can do this by adjusting a registry value as follows:
  1. Start Registry Editor (Regedt32.exe).
  2. Locate the following key in the registry:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

  3. Change the data value of the EnableICMPRedirect value to 0 (by default, it is 1).
  4. Quit Registry Editor.

STATUS

Microsoft has confirmed that this is a problem in Windows 2000.

MORE INFORMATION

The registry value listed above is for Windows 2000 only.
  • In Windows NT 4.0, the REG_DWORD "EnableICMPRedirects" value must have an "s" at the end.
  • In Windows 2000 and later, the REG_DWORD "EnableICMPRedirect" value must not have an "s" at the end.
For additional information, click the article numbers below to view the articles in the Microsoft Knowledge Base:

225344 ICMP Redirect Attack Hangs Windows NT Server and Workstation

293626 Cannot Disable ICMP Redirects with EnableICMPRedirect Value

Modification Type:MajorLast Reviewed:10/9/2002
Keywords:kbenv kbnetwork kbprb KB243427
©2002 Microsoft Corporation. All rights reserved.