beautypg.com

Disadvantages of sending icmp error packets – H3C Technologies H3C SecBlade LB Cards User Manual

Page 111

background image

102

{

There is no source route option in the packet.

The ICMP redirect packets function simplifies host administration and enables a host to gradually
optimize the routing table.

ICMP timeout packets
If the device receives an IP packet with a timeout error, it drops the packet and sends an ICMP
timeout packet to the source.
The device sends an ICMP timeout packet under the following conditions:

{

If the device finds that the destination of a packet is not itself and the TTL field of the packet is

1, it sends a "TTL timeout" ICMP error message.

{

When the device receives the first fragment of an IP datagram whose destination is the device
itself, it starts a timer. If the timer times out before all the fragments of the datagram are received,

the device sends a "reassembly timeout" ICMP error packet.

ICMP destination unreachable packets
If the device receives an IP packet with the destination unreachable, it drops the packet and send
an ICMP destination unreachable error packet to the source.
Conditions for sending an ICMP destination unreachable packet:

{

If neither a route nor the default route for forwarding a packet is available, the device sends a
"network unreachable" ICMP error packet.

{

If the destination of a packet is local but the transport layer protocol of the packet is not
supported by the local device, the device sends a "protocol unreachable" ICMP error packet to

the source.

{

When receiving a packet with the destination being local and transport layer protocol being

UDP, if the packet's port number does not match the running process, the device sends the
source a "port unreachable" ICMP error packet.

{

If the source uses "strict source routing" to send packets, but the intermediate device finds that
the next hop specified by the source is not directly connected, the device sends the source a

"source routing failure" ICMP error packet.

{

When forwarding a packet, if the MTU of the sending interface is smaller than the packet, but
the packet has been set as "Don't Fragment," the device sends the source a "fragmentation

needed and Don't Fragment (DF)-set" ICMP error packet.

Disadvantages of sending ICMP error packets

Sending ICMP error packets facilitates network control and management, but it has the following
disadvantages:

Sending a lot of ICMP packets increases network traffic.

A device's performance degrades if it receives a lot of malicious packets that cause it to respond
with ICMP error packets.

A host's performance degrades if the redirection function increases the size of its routing table.

End users are affected if malicious users send ICMP destination unreachable packets.

To prevent such problems, disable the device from sending ICMP error packets.

This manual is related to the following products: