Configuring icmp to send error packets, Advantages of sending icmp error packets – H3C Technologies H3C SecPath F1000-E User Manual

Page 30

Configuring ICMP to send error packets

Sending error packets is a major function of ICMP. In case of network abnormalities, error packets are
usually sent by the network or transport layer protocols to notify corresponding devices so as to facilitate

control and management.

Advantages of sending ICMP error packets

ICMP error packets include redirect, timeout, and destination unreachable packets.

ICMP redirect packets
A host may have only a default route to the default gateway in its routing table after startup. The
default gateway will send ICMP redirect packets to the source host, telling it to reselect a correct

next hop to send the subsequent packets, if the following conditions are satisfied:

{

The receiving and forwarding interfaces are the same.

{

The selected route has not been created or modified by an ICMP redirect packet.

{

The selected route is not the default route of the device.

{

There is no source route option in the packet.

The ICMP redirect packets function simplifies host administration and enables a host to gradually
establish a sound routing table to find the best route.

ICMP timeout packets
If the firewall receives an IP packet with a timeout error, it drops the packet and sends an ICMP
timeout packet to the source.
The firewall sends an ICMP timeout packet under the following conditions:

{

If the firewall finds the destination of a packet is not itself and the TTL field of the packet is 1, it
will send a "TTL timeout" ICMP error message.

{

When the firewall receives the first fragment of an IP datagram whose destination is the firewall
itself, it starts a timer. If the timer times out before all the fragments of the datagram are received,

the firewall will send a "reassembly timeout" ICMP error packet.

ICMP destination unreachable packets
If the firewall receives an IP packet with the destination unreachable, it will drop the packet and

send an ICMP destination unreachable error packet to the source.
Conditions for sending an ICMP destination unreachable packet:

{

If neither a route nor the default route for forwarding a packet is available, the firewall will send

a "network unreachable" ICMP error packet.

{

If the destination of a packet is local but the transport layer protocol of the packet is not
supported by the local device, the device sends a "protocol unreachable" ICMP error packet to

the source.

{

When receiving a packet with the destination being local and transport layer protocol being
UDP, if the packet's port number does not match the running process, the firewall will send the

source a "port unreachable" ICMP error packet.

{

If the source uses "strict source routing" to send packets, but the intermediate device finds that
the next hop specified by the source is not directly connected, the firewall will send the source
a "source routing failure" ICMP error packet.

This manual is related to the following products:

H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS