beautypg.com

H3C Technologies H3C SecPath F1000-E User Manual

Page 724

background image

699

Enabling sending of ICMPv6 destination unreachable
messages

If the firewall fails to forward a received IPv6 packet due to one of the following reasons, it drops the
packet and sends a corresponding ICMPv6 Destination Unreachable error message to the source.

If no route is available for forwarding the packet, the firewall sends a "no route to destination"
ICMPv6 error message to the source.

If the firewall fails to forward the packet due to administrative prohibition (such as a firewall filter or
an ACL), the firewall sends the source a "destination network administratively prohibited" ICMPv6

error message.

If the firewall fails to deliver the packet because the destination is beyond the scope of the source
IPv6 address (for example, the source IPv6 address of the packet is a link-local address whereas the
destination IPv6 address of the packet is a global unicast address), the firewall sends the source a

"beyond scope of source address" ICMPv6 error message.

If the firewall fails to resolve the corresponding link layer address of the destination IPv6 address,
the firewall sends the source an "address unreachable" ICMPv6 error message.

If the packet with the destination being local and transport layer protocol being UDP and the
packet's destination port number does not match the running process, the firewall sends the source

a "port unreachable" ICMPv6 error message.

If an attacker sends abnormal traffic that causes the firewall to generate ICMPv6 destination unreachable

messages, end users may be affected. To prevent such attacks, you can disable the firewall from sending

ICMPv6 destination unreachable messages.
To enable sending of ICMPv6 destination unreachable messages:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enable sending of ICMPv6 destination
unreachable messages.

ipv6 unreachables enable

Disabled by default

Displaying and maintaining IPv6 basics

configuration

Task Command

Remarks

Display the IPv6 FIB entries.

display ipv6 fib [ vpn-instance
vpn-instance-name ] [ acl6 acl6-number |

ipv6-prefix ipv6-prefix-name ] [ | { begin |
exclude | include } regular-expression ]

Available in any view

Display the IPv6 FIB entry of a
specified destination IPv6

address.

display ipv6 fib [ vpn-instance
vpn-instance-name ] ipv6-address

[ prefix-length ] [ | { begin | exclude | include }

regular-expression ]

Available in any view