ICMP


Subject: ICMP
From: Christopher E. Brown (cbrown@woods.net)
Date: Wed Mar 20 2002 - 22:44:24 AKST


On Wed, 20 Mar 2002, Leif Sawyer wrote:
> Iffn i remember correctly, ICMP (type 3) is Destination Unreachable.
>
> If you block this ICMP packet, then a sending host will continue trying
> to contact the destination, backing off further and further.
>
> The ICMP[3] message will let the sender know that the destination host
> is unavailable. Of course, the sender's application needs to be aware
> of these messages in order to terminate the connection attempt.
>
> Leif

        No, that is the IP stacks job (unless you are using an app on
a broken OS that does not do IP to spec). The IP stack handles
things, and passes a connect failed/reason to the app. However ICMP
is how failures are found *without* waiting for the 10 - 300 second
timeout. It will not back off further and further, but timeout, or
run into MTU issues that cause connection halts. (Remember, for
Unicast ICMP is the method by which IP provides its failover and error
reporting, as well as some adaptive tuning (such as path MTU and MSS
adjustments).

ICMP type 3 is *required* for connection handling, including Path MTU
Discovery. On a *ROUTER* in *TRANSIT* you can block Types 0, 5, 8,
17, 18, 30. But only for transit. Others can be blocked as well,
depending on your traffic types and setup. However, *ANY* ICMP blocks
should be very well thought out and chosen by Type/Code on a case by
case basis. Screwing this up totally FUBARs your network.

ICMP Type 3 codes

0 Net Unreachable
1 Host Unreachable
2 Protocol Unreachable
3 Port Unreachable
4 Fragmentation Needed and Don't Fragment was Set
5 Source Route Failed
6 Destination Network Unknown
7 Destination Host Unknown
8 Source Host Isolated
9 Communication with Destination Network is Administratively Prohibited
10 Communication with Destination Host is Administratively Prohibited
11 Destination Network Unreachable for Type of Service
12 Destination Host Unreachable for Type of Service
13 Communication Administratively Prohibited
14 Host Precedence Violation
15 Precedence cutoff in effect

ICMP Types

    0 Echo Reply
    3 Destination Unreachable
    4 Source Quench
    5 Redirect
    8 Echo
   11 Time Exceeded
   12 Parameter Problem
   13 Timestamp
   14 Timestamp Reply
   15 Information Request
   16 Information Reply
   17 Address Mask Request
   18 Address Mask Reply

ICMP is defined as an extension/required part of IP in RFC792
Type 0 - 16 are defined in RFC 793
Type 17 and 18 are added in RFC950

These are all part of standard 5 (STD0005), covering RFCs
791, 792, 919, 922, 950, 1112

There is an extension in RFC1812 labeled PROPOSED STANDARD that adds
Code 13, Code 14 and Code 15 to ICMP Type 3

There is a Router discovery extension in RFC1256 labeled PROPOSED
STANDARD that adds Type 9 and Type 10

Type 9 is redefined adding 2 Codes in RFC2002 labeled PROPOSED
STANDARD

There is a traceroute extension in RFC1393 labeled as EXPERIMENTAL
that adds Type 30

There is an IPSEC extension in RFC2521 labeled as EXPERIMENTAL that
adds Type 40

Many sites block ALL ICMP, but you cannot do this, ICMP (and IGMP) is
considered to be a REQUIRED part of the IP spec, even though it is
sent as an IP payload it is part of IP, not true payload (like
TCP/UDP/etc).

ICMP Type 3, Destination Unreachable
Type 3 codes:

      0 = net unreachable
      1 = host unreachable
      2 = protocol unreachable
      3 = port unreachable
      4 = fragmentation needed and DF set
      5 = source route failed

While the above list is required by STD0005, there are many additions
to the list. Hosts are required to discard ICMP packets of a Type or
Type/Code they do not understand, routers are required to pass them if
is through traffic, or discard *if* is destined to the router (router
as host). The current *working* list (IANA extension of RFC1700) is

ICMP Types (for sub Codes see IANA docs on ICMP)

  0 Echo Reply [RFC792]
  1 Unassigned
  2 Unassigned
  3 Destination Unreachable [RFC792]
  4 Source Quench [RFC792]
  5 Redirect [RFC792]
  6 Alternate Host Address
  7 Unassigned
  8 Echo [RFC792]
  9 Router Advertisement [RFC1256]
 10 Router Solicitation [RFC1256]
 11 Time Exceeded [RFC792]
 12 Parameter Problem [RFC792]
 13 Timestamp [RFC792]
 14 Timestamp Reply [RFC792]
 15 Information Request [RFC792]
 16 Information Reply [RFC792]
 17 Address Mask Request [RFC950]
 18 Address Mask Reply [RFC950]
 19 Reserved (for Security)
 20-29 Reserved (for Robustness Experiment)
 30 Traceroute [RFC1393]
 31 Datagram Conversion Error [RFC1475]
 32 Mobile Host Redirect
 33 IPv6 Where-Are-You
 34 IPv6 I-Am-Here
 35 Mobile Registration Request
 36 Mobile Registration Reply
 37 Domain Name Request
 38 Domain Name Reply
 39 SKIP
 40 Photuris [RFC2521]
 41-255 Reserved



This archive was generated by hypermail 2a23 : Wed Mar 20 2002 - 23:04:13 AKST