beautypg.com

Enabling replying to multicast echo requests, Enabling sending of icmpv6 time exceeded messages – H3C Technologies H3C SecPath F1000-E User Manual

Page 723

background image

698

Step Command

Remarks

2.

Configure the

capacity and
update interval of

the token bucket.

ipv6 icmp-error { bucket
bucket-size | ratelimit

interval } *

Optional.
By default, the capacity of a token bucket is 10 and

the update interval is 100 milliseconds. At most 10
ICMPv6 error packets can be sent within 100

milliseconds.
The update interval 0 indicates that the number of

ICMPv6 error packets sent is not restricted.

Enabling replying to multicast echo requests

If hosts are configured to answer multicast echo requests, an attacker may use this mechanism to attack

a host. For example, if Host A (an attacker) sends an echo request with the source being Host B to a

multicast address, all the hosts in the multicast group will send echo replies to Host B. To prevent such an
attack, disable the firewall from answering multicast echo requests by default. In some application

scenarios, however, you need to enable the firewall to answer multicast echo requests.
To enable replying to multicast echo requests:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enable replying to multicast echo
requests.

ipv6 icmpv6 multicast-echo-reply enable Not enabled by default

Enabling sending of ICMPv6 time exceeded messages

The firewall sends out an ICMPv6 Time Exceeded message in the following cases:

If a received IPv6 packet's destination IP address is not a local address and its hop limit is 1, the
firewall sends an ICMPv6 Hop Limit Exceeded message to the source.

Upon receiving the first fragment of an IPv6 datagram with the destination IP address being the
local address, the firewall starts a timer. If the timer expires before all the fragments arrive, an

ICMPv6 Fragment Reassembly Timeout message is sent to the source.

If large amounts of malicious packets are received, the performance of a device degrades greatly
because it has to send back ICMP Time Exceeded messages. You can disable sending of ICMPv6 Time

Exceeded messages.
To enable sending of ICMPv6 time exceeded messages:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enable sending of ICMPv6 Time Exceeded
messages.

ipv6 hoplimit-expires enable

Optional.
Enabled by default.

This manual is related to the following products:
See also other documents in the category H3C Technologies Safety: