Professional Documents
Culture Documents
Chapter 5
Internet Control Message Protocol (ICMP)
At a Glance
Overview
Objectives
Teaching Tips
Quick Quizzes
Additional Projects
Additional Resources
Key Terms
1
Guide to TCP/IP, Fourth Edition 5-2
Lecture Notes
Overview
Although IP is certainly the best-known Network layer protocol in the TCP/IP
family, it’s by no means the only such protocol. This chapter covers Internet
Control Message Protocol (ICMP), an important error-handling and information-
handling protocol that is an integral part of the TCP/IP suite of protocols, which
also operates at the Network layer. This chapter starts with an overview of the
various roles ICMP can play, next describes its capabilities, packet layouts, and
field formats, and then explains how ICMP handles report errors, delivery errors,
path discovery, Path Maximum Transmission Unit (MTU) Discovery, and other
routing-related functions.
Chapter Objectives
Explain the basics of the Internet Control Message Protocol (ICMP) and the roles
it plays on networks
Describe the specifications listed in RFC 792, which define the original ICMPv4
protocol, including its header format and the different types and formats of
ICMPv4 messages
Provide a basic overview of the ICMPv6 protocol, covering its header format and
the different types and formats of ICMPv6 messages, including how error
messages and informational message types are organized
List the details of the different ICMPv6 error messages, including those that
existed in ICMPv4 and have been upgraded as well as message types that were
newly created for ICMPv6
Describe the intricacies of all the different ICMPv6 informational messages,
including those that existed under ICMPv4 and have been upgraded and those that
have been newly created for use in ICMPv6
Understand the general differences between ICMPv4 and ICMPv6
Explain how Path MTU Discovery operates between IPv4 nodes, including the
involvement of default packet MTUs, packet fragmentation, and the effect of a
packet being marked for no fragmentation relative to ICMPv4 messaging
Describe how Path MTU Discovery has been changed for IPv6 and the associated
changes to ICMPv6 messages for this technology
Describe the various processes for testing and troubleshooting with ICMP,
including the use of network utilities such as Ping, Traceroute, and Pathping as
well as routing sequences and security issues
Explain network protocol analyzer data and use the data to decode ICMPv4 and
ICMPv6 packets in order to understand their versions, types, sequencing, and
other information
2
Guide to TCP/IP, Fourth Edition 5-3
Teaching Tips
ICMP Basics
1. If ICMP was part of a mechanic’s took kit, it would be a screwdriver or a wrench.
If it was part of a cook’s utensils, it would be a measuring cup or a stirring spoon.
It’s that basic. Without the ability to use ICMP utilities like Ping and Traceroute,
it would be extremely difficult to do any maintenance work on a network,
especially with any speed.
2. Recall for your students that ICMP is not only part of the OSI Network layer, but
part of the Internet layer of the TCP/IP stack. You might want to have the students
briefly revisit a comparison between the two protocol stacks as a refresher.
3. Also remember that ICMP is a specialized part of IP and not a separate entity.
We are not studying a separate protocol, but a subset of a large, multifaceted
protocol; one that the Internet and Ethernet LANs could not exist without.
Teaching For more information and useful links regarding ICMP visit:
Tip http://www.networksorcery.com/enp/protocol/icmp.htm.
1. Use Table 5-1 to explain the ICMP message types and their uses on IP networks.
The first two message types are most often what users and most technicians think
of when they consider ICMP message types. Note that all the message types are
related to routing.
ICMPv4
1. ICMP is a core protocol in the IP suite, originally specified in April 1981 by RFC
777, which was obsoleted the following September by RFC 792. Computer
operating systems use ICMPv4 primarily to send certain error messages to other
networked nodes. Although ICMPv4 may not be known to average computer
users, its most common manifestation—the ping command—is widely used to test
the connection between one computer and another, even by those who may
otherwise know very little about networking.
3
Guide to TCP/IP, Fourth Edition 5-4
1. Note that although RFC 792 was published in 1981, it defines the primary
functions of, and blueprints for, ICMP messages to this day.
Quick Quiz 1
1. ____________________ occurs when network traffic starts to exceed handling
capacities.
Answer: Network congestion
ICMPv4 Header
1. In this section, we cover each portion of the header structure, the functions of the
various ICMP packet types, and provide examples of ICMP query and error
messages found on the network.
1. ICMP packets contain only three required fields after the IP header: Type, Code,
and Checksum. In some ICMP packets, however, there are additional fields that
provide information or details about the message, or message-specific
information.
1. There are many ICMP message types, but they fall into two general categories:
error messages and informational messages. All ICMPv4 messages use a common
message format and are sent and received using a simple set of protocol rules.
4
Guide to TCP/IP, Fourth Edition 5-5
2. Explain that the Destination Unreachable message is returned to the source node
when a packet that was sent could not be delivered to the destination address. The
sender can then use this information to decide how to correct the problem.
3. Mention that the Source Quench message is used to tell the source node to reduce
the rate of speed at which it sends packets to the destination node. The source
node responds by slowing down the transmission rate until it stops receiving
Source Quench messages.
4. Explain that the Time Exceeded message is sent in two circumstances. The first is
when a packet’s Time to Live (TTL) field is decremented to zero by routers on
the network before the packet reaches its destination. The second is when some of
the fragments of a message do not reach the destination node by the time the
node’s reassembly timer reaches zero.
5. Explain that routers send ICMP Redirect messages to hosts to indicate that a
preferable route exists.
6. Mention that the Parameter Problem message is a “generic” error message that
can be sent back to the source node by any device on the network when that
device detects an error in any header field in an IP packet.
7. Explain that the Echo Request and Echo Reply messages are used for connectivity
testing between network nodes. The most common implementation of these
messages is with the use of the Ping utility.
8. Mention that routers use the Timestamp Request and Timestamp Reply pair of
messages on a network to synchronize their system clocks for date and time. This
method of time synchronization does not work very well on large networks,
particularly the Internet.
9. Mention that the Router Advertisement and Router Solicitation pair of messages
allows a network node not manually configured with the address of a first-hop
router to ask for and receive information about routers on the local network.
10. Explain that the Address Mask Request and Address Mask Reply pair of
messages is used to supply subnet mask information about other computers on the
network to the node sending the Address Mask Request.
11. Explain that the Traceroute message type is similar to Echo Request and Echo
Reply messages except that instead of just testing for basic connectivity, this
ICMPv4 message traces the exact sequence of routers used to send a packet from
the source to the destination node on a hop-by-hop basis.
5
Guide to TCP/IP, Fourth Edition 5-6
1. Figures 5-2 and 5-3 in the text are reminders why the students are being asked to
learn about ICMP packet fields and functions. The information has a practical
application when monitoring and troubleshooting networks with a protocol
analyzer such as Ethereal.
Quick Quiz 2
1. ICMP packets contain only three required fields after the IP header: Type, Code,
and ____________________.
Answer: Checksum
2. The ____ field identifies types of ICMP messages that can be sent on the network.
Answer: Type
3. True or False: The Code field provides error detection for the ICMP header only.
Answer: False
ICMPv6
1. ICMPv6 provides the same basic mechanism for error reporting and information
exchange between networked devices as ICMPv4. The specifications for ICMPv4
are over 30 years old, and a new version of ICMP is required for modern network
messaging requirements. ICMPv6 message types still fall into two main groups:
error messages and informational messages. However, the message types in these
categories have changed, some of them significantly.
Overview of ICMPv6
1. ICMPv6 was originally specified by RFC 1885, which was then made obsolete by
RFC 2463. The current specification is RFC 4443, “Internet Control Message
Protocol (ICMPv6) for Internet Protocol Version 6 (IPv6) Specification.”
6
Guide to TCP/IP, Fourth Edition 5-7
ICMPv6 is described as having message types and message type formats updated
for use with the IPv6 protocol.
ICMPv6 Header
1. RFC 4443 describes the general format of ICMPv6 messages. Specific message
types may have their own unique formatting beyond what is illustrated here. An
IPv6 header and potentially one or more extension headers will come before the
ICMPv6 message. The Next Header value for the ICMPv6 header is 58 in the
immediately preceding header. Figure 5-20 shows the general format of the
ICMPv6 message header.
1. When a packet cannot be delivered to its destination for various reasons, such as
the packet containing an invalid destination address, the router encountering this
packet will send a Destination Unreachable message back to the source node.
2. Once the source node receives the Destination Unreachable message, the node is
responsible for deciding a response.
1. Explain that this new ICMPv6 error message type is required because of how
IPv6 manages data fragmentation and reassembly.
7
Guide to TCP/IP, Fourth Edition 5-8
1. Explain that the Echo Request and Echo Reply messages are specified in RFC
4443 and perform a basic connectivity test.
1. Router discovery in IPv6 works similarly to router discovery in IPv4 except that
the router discovery function has been integrated into the Neighbor Discovery
(ND) protocol and has become part of a suite of discovery utilities that are used
between network nodes and routers.
8
Guide to TCP/IP, Fourth Edition 5-9
Redirect Messages
1. Router Renumbering for IPv6 is specified in RFC 2894 and allows address
prefixes on routers to be configured and reconfigured with the ease of Neighbor
Discovery and Address Autoconfiguration for network nodes. This allows
administrators to update the prefixes used and advertised by IPv6 routers
throughout a site.
1. ICMPv4 and ICMPv6 perform the same basic functions; however, ICMPv6
provides added functionality. Describe general message types common to both
implementation and those new in ICMPv6.
Quick Quiz 3
1. True or False: Data for Echo Request messages may consist of one or more octets
of arbitrary data.
Answer: False
4. True or False: The principal difference between these two versions of the ICMP
protocol is the integration of different messaging types under the ICMPv6
protocol.
Answer: True
9
Guide to TCP/IP, Fourth Edition 5-10
2. Each PMTU is made up of a number of links between the source and destination
node, and each link can have a different MTU size. The PMTU is the size of the
smallest MTU for an individual link.
Changes to PMTU
1. IPv6 MTU sizing and fragmentation have been updated to improve the efficiency
and quality of sending and receiving network traffic. One way this was achieved
was by setting the default MTU for packets to 1280 bytes. Another method was to
eliminate fragmentation of packets once they’ve been sent from the source node.
IPv6 routers are unable to fragment packets in transit. If a packet needs to be
fragmented in order to be delivered to the destination, the source node must
perform this task.
1. There are times when network troubleshooting and security will clash. Once, a
Cisco technician was trying to diagnose a problem on a switch. He was able to
ping the switch, but the switch could not ping the technician’s laptop when
commanded to do so over the console connection. Then, the tech realized that he
had the built-in firewall feature on his Windows XP Professional laptop turned on
and the firewall was configured to block ICMP echo replies. Remind your
students that sometimes what we think of as a problem on the network can be a
detail that we have neglected to take into account.
10
Guide to TCP/IP, Fourth Edition 5-11
3. You and your students may recall seeing the –l parameter mentioned in Chapter 3.
2. The text briefly mentions pathping here and refers the reader to Appendix C. For
more information on this utility, go to www.windowsitpro.com/. In the
“InstantDoc” window near the top of the page, enter “15736” and click “go,”
which will take you to the article “Pathping: Traceroute on Steroids.”
1. RFC 1191, “Path MTU Discovery,” defines a method for discovering a Path MTU
(PMTU) using ICMP.
2. PMTU Discovery enables a source to learn the currently supported MTU across
an entire path, without requiring fragmentation.
3. Use Figure 5-31 and Tables 5-17 and 5-18 to describe PMTU.
1. ICMP’s most common uses are testing and troubleshooting. Two of the most
well-known utilities, PING and TRACEROUTE, rely on ICMP to perform
connectivity tests and path discovery.
Router Discovery
1. Hosts that would not use Router Discovery either have the default gateway
manually configured on the local computer, or the default gateway is manually
configured on a DHCP (Dynamic Host Configuration Protocol) server that is
handing out that information to hosts configured to accept DHCP network settings
along with IP addresses, subnet masks, and DNS primary and (optional)
secondary servers.
11
Guide to TCP/IP, Fourth Edition 5-12
2. ICMP Router Solicitation usually occurs upon boot with the computer sending out
a router multicast requesting the IP address of the router interface of the default
gateway.
Router Advertising
1. Even though a router will send a message back to the host giving the IP address of
a better router, it will still forward the originally sent packet to its destination.
2. There is a major drawback to redirection. Let’s say your default gateway forwards
your message to the next hop router. The next hop router may know of a third
router that would be a better choice and sends the redirection message back to the
sending host. The default gateway does not get this information, and although the
host can then amend its routing table to include the third router, the default
gateway will still be unaware of this and may continue to send packets through
the same next hop router it began to use.
1. The text mentions that some companies “limit the amount of ICMP traffic that
flows through their networks.” One of the most common attacks on a network is
called DoS (Denial of Service). It involves flooding a gateway server or router
with a huge amount of oversized ICMP packets in hopes (for the attacker,
anyway) of flooding the device’s memory buffer; which would cause a shutdown
and open a doorway into the network for the attacker. Security issues will be
covered in detail in Chapter 9.
12
Guide to TCP/IP, Fourth Edition 5-13
3. The site www.warez.com is perhaps the most famous (infamous?) hacker tool site
on the Internet. Visiting this site or the other site mentioned in the text should be
for research purposes only; it is not recommended that your students download
any of the tools from these sites onto the school’s lab computers (unless
specifically requested to do so as part of a class project). The use of these tools,
either with school or personal computers, to compromise public or private
networks can result in civil and criminal proceedings being brought against the
student.
4. One of the techniques used by people to illicitly gain information about a network
is Passive Fingerprinting. This method is used to map a target network and the
networks and hosts communicating with it, using data from a protocol analyzer.
This is an example of why ICMP and a protocol analyzer together can be a
potential hazard to network security.
1. ICMPv6 has built-in security features that are designed to prevent attacks sent
from another network segment. These features include the value in the Hop Limit
field being set at 255. Also, the source address of ICMPv6 packets must be either
link-local or unspecified (::/128) for all Router Advertisement and Neighbor
Solicitation messages.
3. In short, except for the items already mentioned, ICMPv6 security is similar to
ICMPv4.
ICMPv4
1. Use Figure 5-34 and Table 5-21 to show the ICMPv4 Echo Request and Echo
Reply Message format fields.
ICMPv6
1. Use Figure 5-35 and Table 5-22 to show the ICMPv6 Echo Request and Echo
Reply Message format fields.
13
Guide to TCP/IP, Fourth Edition 5-14
Quick Quiz 4
1. True or False: The ICMP Echo Request guarantees packet delivery.
Answer: False
3. The ____ utility is a command-line utility that uses ICMP Echo packets to test
router and link latency, as well as packet loss.
Answer: Pathping
1. The text mentions that some public sites block ICMP echo responses for security
reasons. If blocking ICMP is a good strategy for keeping your network safe from
intrusion from the Internet, why don’t all public sites follow this policy?
2. Assign half of the class the role of sysadmins of your school’s IT Department.
Assign the other half to be student users of the school’s computer network, which
includes Internet access. The issue is whether or not students should be allowed
access to ICMP utilities such as ping and Traceroute on university computers. The
sysadmins say “no” and the students say “yes.” Have each side discuss their
position, and as instructor, determine who has the more convincing argument.
14
Guide to TCP/IP, Fourth Edition 5-15
Additional Projects
1. This project can only be done with the instructor’s approval if school computers
are involved. Go to www.pingplotter.com and download the freeware version of
their software. With the experience of this chapter and based on other relevant
information from the text, use the pingplotter utility to use as many of the
functions of ping and Tracert as it is capable of performing. Report to the class on
the benefits and drawbacks of using pingplotter compared to the more standard
ICMP utilities. NOTE: If students choose to download pingplotter onto their
personal computer equipment, they bear sole responsibility for their use of the
tool and the resulting outcomes.
Additional Resources
1. For information on a form of graphical Traceroute, go to www.pingplotter.com.
The site makes both freeware and shareware versions of their software available
for download. Please caution your students to not download any software onto
their school lab machines without specific direction from the instructor to do so.
This site is recommended only to introduce the students to the concept of a
graphical Traceroute utility.
15
Guide to TCP/IP, Fourth Edition 5-16
3. As always, the relevant Request for Comment documents are good source
materials:
Key Terms
advertising rate—The rate at which a service (typically a routing service) is
announced on a network. An example of an advertising rate is the 10-minute
advertising rate for ICMP Router Advertisement packets.
allowable data size—The amount of data that can be transferred across a link; the
MTU.
auto-reconfiguration—The process of automatically changing the configuration
of a device. For example, when a PMTU host receives an ICMP Destination
Unreachable: Fragmentation Needed and Don’t Fragment was Set ICMP packet,
that host can reconfigure the outgoing MTU size to match the size dictated by the
restricting link.
auto-recovery—The process of automatically recovering from a fault. For
example, the process of black hole detection enables a host to auto-recover from a
communication failure caused by a router that does not forward packets and does
not send any messages indicating that an error occurred.
available routes—The known functional routes on an internetwork. Available
routes are not necessarily the optimal routes. On IP networks, routers periodically
advertise available routes.
average response time—The median time required to reply to a query. The
history of network average response times is used to provide a measurement for
comparison of current network responses.
backward compatibility—A feature that enables a device, process, or protocol to
operate with earlier versions of software or hardware that do not support all the
latest, up-to-date, or advanced features. For example, a PMTU host can
automatically and incrementally reduce the MTU size it uses until it learns the
supported PMTU size.
command-line parameter—Options added to a command issued at a prompt (not
in a windowed environment). For example, in the command arp -a, the -a is the
parameter for the command arp.
connectivity tests—Tests to determine the reachability of a device. IP PING and
TRACEROUTE are two utilities that can be used for connectivity testing.
Destination Unreachable message— An ICMP error message sent from a router
to a network host notifying the host that its message could not be delivered to its
destination.
16
Guide to TCP/IP, Fourth Edition 5-17
17
Guide to TCP/IP, Fourth Edition 5-18
18
Guide to TCP/IP, Fourth Edition 5-19
19
Guide to TCP/IP, Fourth Edition 5-20
20