Enabling replying to multicast echo requests, Enabling sending of icmpv6 time exceeded packets – H3C Technologies H3C S7500E Series Switches User Manual

Page 140

13-21

Enabling Replying to Multicast Echo Requests

If hosts are configured to answer multicast echo requests, an attacker may use this mechanism to

attack a host. For example, if Host A sends an echo request with the source being Host B to a multicast

address, then all the hosts in the multicast group will send echo replies to Host B. Therefore, to prevent

such an attack, a device is disabled from replying multicast echo requests by default.

Follow these steps to enable replying to multicast echo requests:

To do…

Use the command…

Remarks

Enter system view

system-view

—

Enable replying to multicast echo

requests

ipv6 icmpv6

multicast-echo-reply enable

Required

Not enabled by default.

Enabling Sending of ICMPv6 Time Exceeded Packets

A device sends out an ICMPv6 time exceeded packet in the following cases:

If a received IPv6 packet’s destination IP address is not the local address and its hop count is 1,

the device sends an ICMPv6 time-to-live count exceeded packet to the source.

Upon receiving the first fragment of an IPv6 datagram with the destination IP address being the

local address, the device starts a timer. If the timer expires before all the fragments arrive, an

ICMPv6 fragment reassembly time exceeded packet is sent to the source.

If large amounts of malicious packets are received, the performance of a device degrades greatly

because it has to send back ICMP time exceeded packets. You can disable sending of ICMPv6 time

exceeded packets.

Follow these steps to enable sending of ICMPv6 time exceeded packets:

To do…

Use the command…

Remarks

Enter system view

system-view

—

Enable sending of ICMPv6 time

exceeded packets

ipv6 hoplimit-expires enable

Optional

Enabled by default.

Displaying and Maintaining IPv6 Basics Configuration

To do…

Use the command…

Remarks

Display the IPv6 FIB entries (for

distributed devices)

display ipv6 fib [ slot slot-number ]

[ ipv6-address ]

Available in any view

Display the IPv6 FIB entries (for

distributed IRF devices)

display ipv6 fib [ chassis

chassis-number slot slot-number ]

[ ipv6-address ]

Available in any view

This manual is related to the following products:

H3C S5800 Series Switches H3C S5120 Series Switches H3C WA2600 Series WLAN Access Points H3C WA2200 Series WLAN Access Points