Disadvantage of sending icmp error packets – H3C Technologies H3C WX6000 Series Access Controllers User Manual
Page 98
11-5
If the device receives an IP packet with the destination unreachable, it will drop the packet and send an
ICMP destination unreachable error packet to the source.
Conditions for sending this ICMP packet:
z
If neither a route nor the default route for forwarding a packet is available, the device will send a
“network unreachable” ICMP error packet.
z
If the destination of a packet is local while the transport layer protocol of the packet is not supported
by the local device, the device sends a “protocol unreachable” ICMP error packet to the source.
z
When receiving a packet with the destination being local and transport layer protocol being UDP, if
the packet’s port number does not match the running process, the device will send the source a
“port unreachable” ICMP error packet.
z
If the source uses “strict source routing" to send packets, but the intermediate device finds the next
hop specified by the source is not directly connected, the device will send the source a “source
routing failure” ICMP error packet.
z
When forwarding a packet, if the MTU of the sending interface is smaller than the packet but the
packet has been set “Don’t Fragment”, the device will send the source a “fragmentation needed
and Don’t Fragment (DF)-set” ICMP error packet.
Disadvantage of sending ICMP error packets
Although sending ICMP error packets facilitate network control and management, it still has the
following disadvantages:
z
Sending a lot of ICMP packets will increase network traffic.
z
If receiving a lot of malicious packets that cause it to send ICMP error packets, the device’s
performance will be reduced.
z
As the redirection function increases the routing table size of a host, the host’s performance will be
reduced if its routing table becomes very large.
z
If a host sends malicious ICMP destination unreachable packets, end users may be affected.
To prevent such problems, you can disable the device from sending ICMP error packets.
Follow these steps to disable sending ICMP error packets:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Disable sending ICMP redirection
packets
undo ip redirects
Required
Enabled by default.
Disable sending ICMP timeout
packets
undo ip ttl-expires
Required
Enabled by default.
Disable sending ICMP destination
unreachable packets
undo ip unreachables
Required
Enabled by default.