Professional Documents
Culture Documents
� Source quench : a router was supposed to send this message when it had to discard
packets due
to congestion. However, sending ICMP messages in case of congestion was not the
best way
to reduce congestion and since the inclusion of a congestion control scheme in TCP,
this ICMP
message has been deprecated.
� Time Exceeded : there are two types of Time Exceeded ICMP messages
� TTL exceeded : a TTL exceeded message is sent by a router when it discards an
IPv4 packet
because its TTL reached 0.
� Reassembly time exceeded : this ICMP message is sent when a destination has been
unable
to reassemble all the fragments of a packet before the expiration of its reassembly
timer.
� Echo request and Echo reply : these ICMP messages are used by the ping(8) network
debug-
ging software.
Note: Redirection attacks
ICMP redirect messages are useful when several routers are attached to the same LAN
as hosts. However, they
should be used with care as they also create an important security risk. One of the
most annoying attacks in an
IP network is called the man in the middle attack. Such an attack occurs if an
attacker is able to receive, process,
possibly modify and forward all the packets exchanged between a source and a
destination. As the attacker
receives all the packets it can easily collect passwords or credit card numbers or
even inject fake information in an
established TCP connection. ICMP redirects unfortunately enable an attacker to
easily perform such an attack. In
the ?gure above, consider host H that is attached to the same LAN as A and R1. If H
sends to A an ICMP redirect
for pre?x 138.48.0.0/16, A forwards to H all the packets that it wants to send to
this pre?x. H can then forward
them to R2. To avoid these attacks, hosts should ignore the ICMP redirect messages
that they receive.
ping(8) is often used by network operators to verify that a given IP address is
reachable. Each host is supposed
10
to reply with an ICMP Echo reply message when its receives an ICMP Echo request
message. A sample usage
of ping(8) is shown below.
ping 130.104.1.1
PING 130.104.1.1 (130.104.1.1): 56 data bytes
64 bytes from 130.104.1.1: icmp_seq=0 ttl=243 time=19.961 ms
64 bytes from 130.104.1.1: icmp_seq=1 ttl=243 time=22.072 ms
64 bytes from 130.104.1.1: icmp_seq=2 ttl=243 time=23.064 ms
64 bytes from 130.104.1.1: icmp_seq=3 ttl=243 time=20.026 ms
64 bytes from 130.104.1.1: icmp_seq=4 ttl=243 time=25.099 ms
--- 130.104.1.1 ping statistics --5
packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 19.961/22.044/25.099/1.938 ms
10
Until a few years ago, all hosts replied to Echo request ICMP messages. However,
due to the security problems that have affected TCP/IP
implementations, many of these implementations can now be con?gured to disable
answering Echo request ICMP messages.
152 Chapter 5. The network layer
Saylor URL: http://www.saylor.org/courses/cs402/
The Saylor Foundation
Another very useful debugging tool is traceroute(8). The traceroute man page
describes this tool as �print
the route packets take to network host�. traceroute uses the TTL exceeded ICMP
messages to discover the intermediate
routers on the path towards a destination. The principle behind traceroute is very
simple. When a router
receives an IP packet whose TTL is set to 1 it decrements the TTL and is forced to
return to the sending host a
TTL exceeded ICMP message containing the header and the ?rst bytes of the discarded
IP packet. To discover all
routers on a network path, a simple solution is to ?rst send a packet whose TTL is
set to 1, then a packet whose
TTL is set to 2, etc. A sample traceroute output is shown below.
traceroute www.ietf.org
traceroute to www.ietf.org (64.170.98.32), 64 hops max, 40 byte packets
1 CsHalles3.sri.ucl.ac.be (192.168.251.230) 5.376 ms 1.217 ms 1.137 ms
2 CtHalles.sri.ucl.ac.be (192.168.251.229) 1.444 ms 1.669 ms 1.301 ms
3 CtPythagore.sri.ucl.ac.be (130.104.254.230) 1.950 ms 4.688 ms 1.319 ms
4 fe.m20.access.lln.belnet.net (193.191.11.9) 1.578 ms 1.272 ms 1.259 ms
5 10ge.cr2.brueve.belnet.net (193.191.16.22) 5.461 ms 4.241 ms 4.162 ms
6 212.3.237.13 (212.3.237.13) 5.347 ms 4.544 ms 4.285 ms
7 ae-11-11.car1.Brussels1.Level3.net (4.69.136.249) 5.195 ms 4.304 ms 4.329 ms
8 ae-6-6.ebr1.London1.Level3.net (4.69.136.246) 8.892 ms 8.980 ms 8.830 ms
9 ae-100-100.ebr2.London1.Level3.net (4.69.141.166) 8.925 ms 8.950 ms 9.006 ms
10 ae-41-41.ebr1.NewYork1.Level3.net (4.69.137.66) 79.590 ms
ae-43-43.ebr1.NewYork1.Level3.net (4.69.137.74) 78.140 ms
ae-42-42.ebr1.NewYork1.Level3.net (4.69.137.70) 77.663 ms
11 ae-2-2.ebr1.Newark1.Level3.net (4.69.132.98) 78.290 ms 83.765 ms 90.006 ms
12 ae-14-51.car4.Newark1.Level3.net (4.68.99.8) 78.309 ms 78.257 ms 79.709 ms
13 ex1-tg2-0.eqnwnj.sbcglobal.net (151.164.89.249) 78.460 ms 78.452 ms 78.292 ms
14 151.164.95.190 (151.164.95.190) 157.198 ms 160.767 ms 159.898 ms
15 ded-p10-0.pltn13.sbcglobal.net (151.164.191.243) 161.872 ms 156.996 ms 159.425
ms
16 AMS-1152322.cust-rtr.swbell.net (75.61.192.10) 158.735 ms 158.485 ms 158.588 ms
17 mail.ietf.org (64.170.98.32) 158.427 ms 158.502 ms 158.567 ms
The above traceroute(8) output shows a 17 hops path between a host at UCLouvain and
one of the main
IETF servers. For each hop, traceroute provides the IPv4 address of the router that
sent the ICMP message and the
measured round-trip-time between the source and this router. traceroute sends three
probes with each TTL value.
In some cases, such as at the 10th hop above, the ICMP messages may be received
from different addresses. This
is usually because different packets from the same source have followed different
paths
11
in the network.
Another important utilisation of ICMP messages is to discover the maximum MTU that
can be used to reach a
destination without fragmentation. As explained earlier, when an IPv4 router
receives a packet that is larger than
the MTU of the outgoing link, it must fragment the packet. Unfortunately,
fragmentation is a complex operation
and routers cannot perform it at line rate [KM1995]. Furthermore, when a TCP
segment is transported in an IP
packet that is fragmented in the network, the loss of a single fragment forces TCP
to retransmit the entire segment
(and thus all the fragments). If TCP was able to send only packets that do not
require fragmentation in the
network, it could retransmit only the information that was lost in the network. In
addition, IP reassembly causes
several challenges at high speed as discussed in RFC 4963. Using IP fragmentation
to allow UDP applications to
exchange large messages raises several security issues [KPS2003].
ICMP, combined with the Don�t fragment (DF) IPv4 ?ag, is used by TCP
implementations to discover the largest
MTU size that is allowed to reach a destination host without causing network
fragmentation. This is the Path MTU
discovery mechanism de?ned in RFC 1191. A TCP implementation that includes Path MTU
discovery (most do)
requests the IPv4 layer to send all segments inside IPv4 packets having the DF ?ag
set. This prohibits intermediate
routers from fragmenting these packets. If a router needs to forward an
unfragmentable packet over a link with a
smaller MTU, it returns a Fragmentation needed ICMP message to the source,
indicating the MTU of its outgoing
link. This ICMP message contains in the MTU of the router�s outgoing link in its
Data ?eld. Upon reception of
this ICMP message, the source TCP implementation adjusts its Maximum Segment Size
(MSS) so that the packets
containing the segments that it sends can be forwarded by this router without
requiring fragmentation.
11
A detailed analysis of traceroute output is outside the scope of this document.
Additional information may be found in [ACO+2006] and
[DT2007]