Guide To TCPIP, Second Edition

1
Guide To TCP/IP, Second Edition

• Chapter 4
• Internet Control Message Protocol (ICMP)

2
Objectives

• Understand the Internet Control Message Protocol
• Test and troubleshoot sequences for ICMP
• Work with ICMP packet fields and functions

3
Understanding The Internet Control Message
Protocol

• Provides information about
• Network Connectivity
• Routing behavior
• Reachability
• Delivery error reports
• Control information
• Network congestion

4
Overview of RFC 792

• Specification of all ICMP messages
• RFC 792 point about IP and ICMP
• Mechanism for gateways (routers) or destination
  hosts to communicate with source hosts
• Specially formatted IP datagrams, with specific
  associated message types and codes
• Essential part of IPs support fabric
• ICMP reports errors only about processing of
  non-ICMP IP datagrams

5
ICMPs Vital Role on IP Networks

• ICMP is used for network monitoring and
  troubleshooting

6
ICMPs Vital Role on IP Networks (cont.)
7
Testing And Troubleshooting Sequences For ICMP

• Connectivity testing with PING
• ICMP Echo Request
• ICMP Echo Reply
• Windows 2000/XP command-line parameters used with
  PING
• -l
• -f
• -i
• -v
• -w

8
Testing And Troubleshooting Sequences For ICMP
(cont.)
9
Testing And Troubleshooting Sequences For ICMP
(cont.)
10
Path Discovery with TRACEROUTE

• Identifies a path
• Steps TRACEROUTE uses to identify a path
• Host sends ICMP Echo Request with a TTL value of
  1
• Router 1 discards the packet and sends an ICMP
  Time Exceeded-TTL Exceeded in Transit message
• Host sends ICMP Echo Request with a TTL value of
  2
• Router 1 decrements ICMP Echo Request packet by 1
• Router 2 discards the packet and sends an ICMP
  Time Exceeded-TTL Exceeded in Transit message
• Destination host sends a ICMP Echo Reply

11
Path Discovery with TRACEROUTE (cont.)
12
Path Discovery with TRACEROUTE (cont.)

• Windows 2000/XP command-line parameters used with
  TRACERT
• -d
• -h
• -w

13
Path MTU Discovery with ICMP

• Enables a source to learn the supported MTU
  across an entire path, without supporting
  fragmentation
• Dont Fragment bit in the IP header to 1
• ICMP Destination Unreachable Fragmentation
  Needed and Dont Fragment
• End-to-end minimum MTU size
• PMTU Discovery process continues to recheck itself

14
Path MTU Discovery with ICMP (cont.)

• RFC 1191 requires the PMTU host to periodically
  try a larger MTU to see if the allowable data
  size has increased
• RFC 1191 specifies that backward compatibility
  for routers that cannot include MTU value
• Black hole routers
• Thwarting auto-recovery and auto-reconfiguration
  attempts

15
Path MTU Discovery with ICMP (cont.)
16
Path MTU Discovery with ICMP (cont.)
17
Routing Sequences for ICMP

• Router Discovery
• ICMP Router Solicitation
• ICMP Router Discovery
• Router Advertising
• Periodic ICMP Router Advertisements passively
  learn about available routes
• TTL route entry is 30 minutes then route entry is
  removed from the route table
• Advertising rate is between seven to ten minutes
• Redirection to a better router

18
Routing Sequences for ICMP (cont.)
19
Routing Sequences for ICMP (cont.)
20
Security Issues For ICMP

• ICMP is part of a reconnaissance process
• IP host probe
• Port probe
• Security website that provide tools that can
  easily be instructed to scan specific IP address
  ranges
• www.atstake.com/research/tools

21
ICMP Packet Fields And Functions

• Two types of ICMP fields
• Constant and Variable
• Constant ICMP fields
• Type Field
• Code Field
• Checksum Field

22
ICMP Packet Fields And Functions (cont.)
23
ICMP Packet Fields And Functions (cont.)

• The variable ICMP structures and functions
• Types 0 and 8 Echo Reply and Echo Packets
• Type 3 Destination Unreachable Packets
• Code 0 Net Unreachable
• Code 1 Host Unreachable
• Code 2 Protocol Unreachable
• Code 3 Port Unreachable
• Code 4 Fragmentation Needed and Dont Fragment
  Was Set
• Code 5 Source Route Failed
• Code 6 Destination Network Unknown
• Code 7 Destination Host Unknown

24
ICMP Packet Fields And Functions (cont.)
25
ICMP Packet Fields And Functions (cont.)
26
ICMP Packet Fields And Functions (cont.)
27
ICMP Packet Fields And Functions (cont.)
28
ICMP Packet Fields And Functions (cont.)
29
ICMP Packet Fields And Functions (cont.)
30
ICMP Packet Fields And Functions (cont.)
31
ICMP Packet Fields And Functions (cont.)
32
ICMP Packet Fields And Functions (cont.)

• Type 3 Destination Unreachable Packets (cont.)
• Code 8 Source Host Isolated
• Code 9 Communication with Destination Network Is
  Administratively Prohibited
• Code 10Communication with Destination Host Is
  Administratively Prohibited
• Code 11 Destination Network Unreachable for Type
  of Service
• Code 12 Destination Host Unreachable for Type of
  Service
• Code 13 Communication Administratively
  Prohibited
• Code 14 Host Precedence Violation
• Code 15 Precedence Cutoff in Effect

33
ICMP Packet Fields And Functions (cont.)

• Type 4 Source Quench
• Type 5 Redirect
• Code 0 Redirect Datagram for the Network (or
  Subnet)
• Code 1 Redirect Datagram for the Host
• Code 2 Redirect Datagram for the Type of Service
  and Network
• Code 3 Redirect Datagram for the Type of Service
  and Host
• Types 9 and 10 Router Advertisement and Router
  Solicitation

34
ICMP Packet Fields And Functions (cont.)
35
ICMP Packet Fields And Functions (cont.)
36
ICMP Packet Fields And Functions (cont.)
37
ICMP Packet Fields And Functions (cont.)
38
ICMP Packet Fields And Functions (cont.)
39
ICMP Packet Fields And Functions (cont.)

• Type 11 Time Exceeded
• Code 0 Time to Live Exceeded in Transit
• Code 1 Fragment Reassembly Time Exceeded
• Type 12 Parameter Problem
• Code 0 Pointer Indicates the Error
• Code 1 Missing a Required Option
• Code 2 Bad Length
• Types 13 and 14 Timestamp and Timestamp Reply

40
ICMP Packet Fields And Functions (cont.)
41
ICMP Packet Fields And Functions (cont.)
42
ICMP Packet Fields And Functions (cont.)
43
ICMP Packet Fields And Functions (cont.)

• Types 15 and 16 Information Request and
  Information Reply
• Types 17 and 18 Address Mask Request and Address
  Mask Reply
• Type 30 Traceroute

44
ICMP Packet Fields And Functions (cont.)
45
ICMP Packet Fields And Functions (cont.)
46
ICMP Packet Fields And Functions (cont.)
47
Chapter Summary

• ICMP provides vital feedback about IP routing and
  delivery problems
• ICMP also provides important IP diagnostic and
  control capabilities that include reachability
  analysis, congestion management, route
  optimization, and timeout error reports

48
Chapter Summary (cont.)

• Although ICMP messages fall within various
  well-documented types and behave as a separate
  protocol at the TCP/IP Network layer, ICMP is
  really part of IP itself, and its support is
  required in any standards-compliant IP
  implementation
• RFC 792 describes ICMP, but numerous other RFCs
  (such as 950, 1191, and 1812) describe additional
  details about how ICMP should behave, and how its
  messages should be generated and handled

49
Chapter Summary (cont.)

• Two vital TCP/IP diagnostic utilities, known as
  PING and TRACEROUTE (invoked as TRACERT in the
  Windows environment), use ICMP to measure
  roundtrip times between a sending and receiving
  host, and to perform path discovery for a sending
  host and all intermediate hosts or routers
  between sender and receiver

50
Chapter Summary (cont.)

• ICMP also supports Path MTU (PMTU) Discovery
  between a sender and a receiver, which optimizes
  performance of data delivery between pairs or
  hosts by avoiding fragmentation en route
• This occurs by establishing the smallest MTU
  required for the path between sender and
  receiver, and then transmitting all datagrams of
  that size or smaller from the sending host

51
Chapter Summary (cont.)

• Route and routing error information from ICMP
  derives from numerous types of ICMP messages
• These include the ICMP Router Solicitation (which
  hosts use to locate routers) and ICMP Router
  Advertisement messages (which routers use to
  advertise their presence and capabilities), as
  well as the various codes for the ICMP
  Destination Unreachable message, which documents
  many possible causes for delivery failures

52
Chapter Summary (cont.)

• ICMP also supports route optimization through its
  ICMP Redirect message type, but this capability
  is normally restricted only to trusted sources of
  information because of potential security
  problems that uncontrolled acceptance of such
  messages can cause

53
Chapter Summary (cont.)

• Although ICMP has great positive value as a
  diagnostic and reporting tool, those same
  capabilities can be turned to nefarious purposes
  as well, which makes security issues for ICMP
  important
• When hackers investigate networks, ICMP host
  probes often represent early stages of attack

54
Chapter Summary (cont.)

• Understanding the meaning and significance of the
  ICMP Type and Code fields is essential to
  recognizing individual ICMP messages and what
  they are trying to communicate
• ICMP message structures and functions can vary,
  depending on the information that any such
  message seeks to convey