ICMPv6 redirects provide a mechanism that lets a router notify a host about a better route to a destination. In our scenario above we have discussed the case that another router is closer to the destination than the one sending the redirect. Additionally, ICMPv6 redirects may be used to notify a host that a destination is "on-link", or directly connected to the same subnet. In a "clean" network these redirects shouldn't occur, but if you have multiple network prefixes configured on a subnet and different hosts for some reason have inconsistent prefix configurations, then these redirects are useful.
Only hosts accept ICMPv6 redirects; routers are explicitly forbidden to listen to them. Otherwise routers could be easily manipulated to forward packets to an attacker instead of the real destination. And if the router accepted ICMPv6 redirects and subsequently sent similar ICMPv6 redirects itself, then a single bad ICMPv6 redirect could result in a self-perpetuating broken routing configuration.
Figure 7.2 shows how redirects are sent. Host 2 from the example sends a packet via router 1 which then decides from its routing table that router 2 was closer to host 3 than router 1. Router 1 still forwards the packet to router 2. Then it sends an ICMPv6 redirect to the host to notify it about the better route via router 2. The exact behaviour is defined in RFC 2461 [91, section 8].
Router 1 Host 2 Router 2
Initial IPv6 packet from Host 2 to Host: 3
Initial IPv6 packet from Host 2 to Host 3 IPv6 packet from Router 1 to Host 2 ICMPv6 Type 137 (Redirect) Code 0 Target Address= Router 2 Donation Address=HoSt 3
Further IPv6 packets from Host 2 to Host 3 " -----
Fig. 7.2. An ICMPv6 redirect in action
The exact format of an ICMPv6 redirect packet is defined in RFC 2461 [91, section 4.5].
The IPv6 header of a redirect must have a link-local address as its source address and a hop limit of 255 when it arrives at the host; otherwise the host must discard the packet. If the hop limit was less, then the ICMPv6 redirect itself may have passed through a router, which doesn't make sense—unless somebody outside tries to send spoofed redirects. The ICMPv6 packet proper contains these fields:
ICMPv6 type is always 137 (ICMPv6 redirect). ICMPv6 code is always 0.
Target address is the link-local IPv6 address of the next hop router
(router 2) or the destination address if the destination node is on-link. Destination address is the IPv6 address of the destination. Target link-layer address Optionally, the packet may contain the link-
layer address of the target. Redirected header The packet must also contain the beginning of the packet that triggered the redirect. This field is sent as an option but must be included in the packet.
To avoid excessive network load, ICMPv6 redirects won't be sent for every ill-routed packet; a host that ignores these redirects could otherwise cause significant network load. RFC 2461 [91, section 8.2] explicitly states that a router must limit the number of redirects it sends. There is no exact specification on how to define an acceptable limit, but when we test ICMPv6 redirects we can't expect to see as many redirects as we have sent ill-routed packets.
Was this article helpful?