Microsoft KB Archive/295103

= HOW TO: Secure IRDP Updates By Using Routing and Remote Access Filters =

PSS ID Number: 295103

Article Last Modified on 11/18/2003

-

The information in this article applies to:


 * Microsoft Windows 2000 Server SP1
 * Microsoft Windows 2000 Advanced Server SP1
 * Microsoft Windows 2000 Datacenter Server

-



This article was previously published under Q295103





IN THIS TASK

 * SUMMARY
 * ** Configure Routing and Remote Access Filters

IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry



SUMMARY
The TCP/IP stack in most of the Microsoft Windows products supports learning default gateway information by use of ICMP Router Discovery Protocol (IRDP). By installing Routing and Remote access on your Windows 2000-based server, you can guarantee that router discoveries are only updated by the router announcements of predefined routers. You can accomplish this by using filters in Routing and Remote Access.

With IRDP, there is faster dead gateway detection than there is by simply using multiple gateways on a network interface card. Gateways can be learned immediately during the system startup or by periodic updates that are sent by a router that supports IRDP.

back to the top

Configure Routing and Remote Access Filters
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

To guarantee that a server only accepts router announcements from particular devices, configure Routing and Remote Access filters:  Start Registry Editor (Regedt32.exe). Locate and click the following key in the registry:

HKEY_LOCAL_Machine\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\

 On the Edit menu, click Add Value, and then add the following registry value:

Value name: PerformRouterDiscovery

Data type: REG_DWORD

Radix: Decimal

Value data: 1

This parameter controls whether Windows 2000 will attempt to perform router discovery per RFC 1256 on a per-interface basis. This parameter defaults to 0 or FALSE. Quit Registry Editor. After you edit the registry, restart the server. Start the Routing and Remote Access Microsoft Management Console (MMC).</li> On the General tab, enumerate the interfaces, and then select the interface on which you enabled IRDP in the registry.</li> Right-click it, and then click Properties.</li> On the General tab, click Drop all packets except those that meet the criteria below.</li> Select the input filters.</li> Add the following 4 filters: <ul> First filter:

Source = 0.0.0.0

Mask = 0.0.0.0

Leave the destination blank

Under protocol, select TCP and leave the source and destination ports blank. You can also run the netstat command on the servers to see which ports it is listening on for more granular filters.</li> Second filter:

Repeat the same actions as you did for the first filter; however, for the protocol, use UDP.</li> Third filter:

Use the IP address of the first router on the segment as the source IP address; leave the destination address blank, and use ICMP as the protocol.

Note: The TYPE and Code fields will become available:

Type = 9

Code = 0

If you get this granular with the filter, you will not be able to ping the boxes, unless you define other filters. For additional type and code information, please refer to the following KB article, or refer to RFC 792 &quot;Internet Control Message Protocol&quot;:

170292 Internet Control Message Protocol (ICMP) Basics

</li> Fourth filter:

Use the IP address of the second router on the segment as source IP; leave the destination address blank; use ICMP as the protocol.

Note: The TYPE and Code fields will become available:

Type = 9

Code = 0

</li></ul> </li></ol>

back to the top

Additional query words: IRDP deadgateway detection

Keywords: kbenv kbhowto kbHOWTOmaster KB295103

Technology: kbwin2000AdvServ kbwin2000AdvServSearch kbWin2000AdvServSP1 kbwin2000DataServ kbwin2000DataServSearch kbwin2000Search kbwin2000Serv kbwin2000ServSearch kbwin2000ServSP1 kbWinAdvServSearch kbWinDataServSearch

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© 2004 Microsoft Corporation. All rights reserved.