chapter 4: internet control message protocol

Guide to TCP/IP, Third Edition

Chapter 4:pInternet Control Message Protocol

1

CISNTWK-11PermissionsObjectives

• Understand the Internet Control Message ProtocolT d bl h f I C l• Test and troubleshoot sequences for Internet Control Message Protocol

• Work with Internet Control Message Protocol packet fieldsWork with Internet Control Message Protocol packet fields and functions

2Internet Control Message Protocol 2

CISNTWK-11PermissionsUnderstanding The Internet Control Message ProtocolUnderstanding The Internet Control Message Protocol

• ICMP – Provides information about network connectivity and routing

behavior– Provides a way to return information to senders– Messages are nothing more than specially formatted IP datagrams


CISNTWK-11PermissionsOverview of RFC 792

• RFC 792 P id b i ifi ti f ll ICMP– Provides basic specification for all ICMP messages

• According to RFC 792, ICMP– Provides mechanism for gateways (routers) or destination hosts to g y ( )

communicate with source hosts– Takes the form of specially formatted IP datagrams– Required in some implementations of TCP/IPRequired in some implementations of TCP/IP– Reports errors about processing of non-ICMP IP datagrams


CISNTWK-11PermissionsICMP’s Vital Role on IP Networks

• ICMP’s job is to provide information aboutIP ti b h i– IP routing behavior

– Reachability– Routes between specific pairs of IP hosts– Delivery errors


CISNTWK-11Permissions


CISNTWK-11PermissionsTesting And Troubleshooting Sequences For ICMP:

Connectivity Testing with Ping

• PING and TRACEROUTE– Rely on ICMP to perform connectivity tests and path discovery

• PING– Actually a form of ICMP Echo communication

• ICMP Echo Request• ICMP Echo Request– Connectionless process with no guarantee of delivery



Connectivity Testing with PING (continued)(continued)

• Most PING utilities S d i f l E h R t t th t t i d t– Send series of several Echo Requests to the target in order to obtain average response time

• PING utility– Sends series of four ICMP Echo Requests with a one-second

ICMP Echo Reply Timeout value– Supports IP addresses and namespp– Uses traditional name resolution processes



Connectivity Testing with PING (cont’d)(cont d)

• Parameters available with the PING utilityl i– -l size

– -f– -i TTL– -v TOS, – -w timeout


CISNTWK-11PermissionsPath Discovery with TRACEROUTEy

• TRACEROUTE utilityU t t i t id tif th f d t t t h t– Uses route tracing to identify a path from sender to target host

– Available parameters• -d• h• -h• -w


CISNTWK-11PermissionsPath Discovery with PATHPING

• PATHPING utility C d li tilit– Command-line utility

– Uses ICMP Echo packets to test router and link latency, as well as packet loss

• PMTU Discovery– Enables source to learn the currently supported MTU across an

entire pathp


CISNTWK-11PermissionsPath MTU Discovery with ICMP

• PMTU processH t A d 4 096 b t k t t H t B– Host A sends a 4,096-byte packet to Host B

– Router 1 discards packet and sends Host A a “Fragmentation Needed and Don’t Fragment Flag was Set” ICMP packet

– Host A re-sends packet using maximum MTU size of 1,500– Router 1 strips off token ring header and applies Ethernet header

before forwarding packet


CISNTWK-11PermissionsRouting Sequences for ICMP

• ICMP C id ti i f ti t h t– Can provide some routing information to hosts

– Used by routers to provide a default gateway setting to a host• Routers

– Can send ICMP messages


CISNTWK-11PermissionsRouter Discovery

• IP hosts T i ll l b t t th h l fi ti f– Typically learn about routes through manual configuration of

• Default gateway parameter and redirection messages– Send ICMP Router Solicitations and routers reply with ICMP

R Ad iRouter Advertisements

• By default– ICMP Router Solicitation packet is sent to the all-routers IP p

multicast address 224.0.0.2


CISNTWK-11PermissionsRouter Advertising

• ICMP Router Advertisements All h t t i l l b t il bl t– Allow hosts to passively learn about available routes

• Default Lifetime value for route entries– 30 minutes

• Default advertising rate– Between seven and ten minutes


CISNTWK-11PermissionsSecurity Issues For ICMP

• ICMP C b d i f ti th i t l– Can be used as an information-gathering tool

• IP address scanning process– One method of obtaining a list of the active hostsg

• IP host probe– Performed by sending a PING packet to each host within a range

and noting the responsesand noting the responses


CISNTWK-11PermissionsICMP Redirect Attack

• ICMPU d t i l t t ffi fl b t h t– Used to manipulate traffic flow between hosts

• Attacker can – Redirect traffic to his machine and perform any number of man-in-p y

the-middle style attacks


CISNTWK-11PermissionsICMP Router Discovery

• Susceptible to attack on the local network segmentD i di• During discovery process– Router solicitation message finds its way to attacker’s machine

• Timing is criticalTiming is critical


CISNTWK-11PermissionsInverse Mapping

• One method of determining live targets on a network Fi lki• Firewalking– Describes the concept of walking a firewall ACL or ruleset to

determine what it filters and how– A two-phase attack method


CISNTWK-11PermissionsICMP Packet Fields and Functions

• Value 1 in IP header Protocol field D t th t ICMP h d f ll th IP h d– Denotes that an ICMP header follows the IP header

• ICMP header portions– Constant portionp– Variable portion


CISNTWK-11PermissionsConstant ICMP Fields

• ICMP packets contain three required fields after the IP headerheader– Type– Code– Checksum



The Variable ICMP Structures and FunctionsFunctions

• ICMP Type 0 U d f E h R l k t– Used for Echo Reply packets

• ICMP Type 8– Used for Echo Request packetsq p

• RFC 792– Identifier and Sequence fields are used to aid in matching Echo

messages with Echo Repliesmessages with Echo Replies



Type 3: Destination Unreachable PacketsPackets

• Network troubleshooters Oft l l t k ICMP D ti ti U h bl k t– Often closely track ICMP Destination Unreachable packets

• Host that sends Destination Unreachable packet – Must return IP header and eight bytes of original datagram that g y g g

triggered this response

• Total of 16 (0 through 15) possible codesCurrently assigned to ICMP Destination Unreachable type number– Currently assigned to ICMP Destination Unreachable type number


CISNTWK-11PermissionsType 4: Source Quench

• Router or host M S Q h t i di t th t it i b i t d– May use Source Quench to indicate that it is becoming congested or overloaded

• By default– Most current routers do not issue Source Quench messages


CISNTWK-11PermissionsType 5: Redirect

• Routers S d ICMP R di t t h t t i di t th t f bl– Send ICMP Redirect messages to hosts to indicate that a preferable route exists

• ICMP Redirect packet– Four-byte field for the preferred gateway’s address

• IdeallyClients should update routing tables to indicate optimal path– Clients should update routing tables to indicate optimal path



Types 9 and 10: Router Advertisement and Router

Solicitation• ICMP Router Advertisement packets include the following

fieldsfields – # of Addresses– Address Size– Lifetime– Router Address 1– Precedence Level 1Precedence Level 1– Router Address 2 and Precedence Level 2


CISNTWK-11PermissionsType 11: Time Exceeded

• Routers or hostsC d th ICMP k t– Can send these ICMP packets

• Codes that can be used – Code 0 and Code 1


CISNTWK-11PermissionsType 12: Parameter Problem

• Errors indicate problems not covered by other ICMP error messagesmessages

• Codes used in ICMP Parameter Problem messages– Code 0: Pointer Indicates the Error– Code 1: Missing a Required Option– Code 2: Bad Length



Types 13 and 14: Timestamp and Timestamp ReplyTimestamp Reply

• Defined as a method for one IP host to obtain the current timetime

• Value returned – The number in milliseconds since midnight, Universal Time (UT)g ( )

• ICMP Timestamp and Timestamp Reply packets – Use the same structure



Types 15 and 16: Information Request and Information ReplyRequest and Information Reply

• Provides a way for a host to find out what network it is onICMP I f i R d I f i R l k• ICMP Information Request and Information Reply packets – Use the same structure



Types 17 and 18: Address Mask Request and Address Mask ReplyRequest and Address Mask Reply

• Intended to provide diskless hosts with a method to determine their network mask informationdetermine their network mask information

• ICMP Address Mask Request and Address Mask Reply packets p– Use the same structure


CISNTWK-11PermissionsType 30: TRACEROUTE

• Documented in RFC 1393 but not currently in useR i dd d f i li i h IP i• Requires some added functionality in the IP routers it traverses

• Adding functionality to routersAdding functionality to routers– Costly and requires numerous resources to build, implement, and

test new code


CISNTWK-11PermissionsSummary

• ICMP P id it l f db k b t IP ti d d li bl– Provides vital feedback about IP routing and delivery problems

– Really part of IP itself– Support is required in any standards-compliant IP implementation– Used by PING and TRACEROUTE to measure round-trip times– Supports PMTU Discovery between a sender and a receiver


CISNTWK-11PermissionsSummary (continued)

• Route and routing error information from ICMP D i f t f ICMP– Derives from numerous types of ICMP messages

• ICMP– Supports route optimization through its ICMP Redirect message pp p g g

type– Security issues are important– Message structures and functions can varyMessage structures and functions can vary


chapter 4: internet control message protocol

Documents