25 Years: Java promise yields Go e! app
Upstart startup leads off with 3000 news

MPE/iX networking flaw has workarounds and a fix

Network switch
Gilles Schipper, our Homesteading editor who's shared so much advice and instruction, wanted network help. Along the way to answers, an MPE/iX flaw was uncovered. There's a fix. But first, the problem.

Schipper writes, "All of sudden, two HP 3000s (running MPE/iX 6.5) are unable to accept VT sessions from terminals on same network. Network administrators unable to point to any network configuration or equipment issues that could explain the problem.

"Further investigation shows that one or two IP's associated with PRINTERS (usually 1, but sometimes 2) have appeared in the "GATELIST" command within NETTOOLS.NET.SYS (along with the IP address of the router). It seems that the inability of network terminals to log on to either system is always due to this bizarre situation that I've never seen before."

Currently, the solution is to run a job every five minutes or so that issues a NETCONTROL NET=LAN; UPDATE=ALL, which results in ONLY the correct router IP address in the GATELIST, and after which everything is okay.

How can I fix the problem permanently without requiring the running of the UPDATE job?

Craig Lalley says he's seen this before.

"I suppose you will probably want to know how I resolved it. I don't remember... but, network redirects come to mind. Are they getting network redirects at the console? Do they have the correct gateway in NMMGR? Have you looked at the buffers?


Of course, what does LINKCONTROL @,A show? Finally, look at the Name Resolution."

Mark Landin puts the blame on a routing table.

"Sounds like your routing table is getting polluted with bad RIP updates. Doubt it’s coming from the printers themselves. Not sure how you’d track that down. Maybe if you put a PC running Wireshark on the same LAN you could find the source of the bogus updates."

Billy Brewer thinks the router redirects cause the problem.

"What you are seeing most likely is ICMP Redirects (normally coming from a router). I don't think I've ever seen where you would get a printer IP address showing in your gatelist in Nettool as that doesn't make any sense. Basically the culprit is sending out an "alternate" gateway and the HP 3000 unfortunately listens and updates the gateway (Gatelist).

The network guys (at least in my experience) are never wrong or guilty until you prove it to them. Anyway, if this is the case, you can watch your console and if you get the result below, it will tell you the IP address of the equipment sending the ICMP Redirect.

SYS-A:** NETXPORT IP : NETWORK PROBLEM; Gateway redirects severe

Loc: 215; Class: 2; Parm= $A1C37920; PortID: $FFFFF972

If you convert the PARM= value from hex to decimal you get the IP, which should be the router that your system is having trouble with.
A1 = 161
C3 = 195
79 = 121
20 = 32

Update: Schipper says the problems came through PCs on the network.

"It turns out that the ICMP redirect requests were being issued by two virus-infected PCs. This was determined by utilizing a packet sniffer. Once those PCs were disconnected from the network, all was good."

Finally, Doug Werth pointed out this is a flaw in MPE/iX which introduced a security hole. That's significant, because 3000s don't often exhibit those. The continued use of these servers on modern networks, pretty remarkable for a server first built in 1972, will expose such stuff.

Werth says, "What you are seeing is in fact caused by ICMP redirects. It has nothing to do with printers or DNS or network resources of any nature. Simply put, a router on the network is inspecting packets and believes it knows a better gateway for the HP3000 to route to use and tells it so via a gateway redirect. The HP 3000 dutifully updates its routing table accordingly.

"If the redirect packets occur at a high enough rate the 'ICMP redirects severe' message is written to the system console. This makes identifying the culprit fairly easily whereby one can ask the network administrator to disable that feature. Yet it only takes one redirect to mess things up which won't reach the threshold of 'severe.' and thus making identification much more difficult. The offending packets can be located by formatting a link trace directly on the HP 3000, or with a packet sniffer like Wireshark externally.

"And how to fix the problem permanently without running the UPDATE job? Beechglen has a patch for all versions of MPE/iX to permanently ignore ICMP redirects. Contact us on how to track down the offending gateway and patches."

"I have long considered this a significant security hole in MPE, as well as all operating systems that accept and act upon ICMP redirects. Turning them off permanently is a must. No server should allow for the possibility of a rogue piece of equipment getting on the network and rerouting its packets. That is a job that should be left solely to the configured default gateway."