chapter 4: internet control message protocol
TRANSCRIPT
Guide to TCP/IP, Third Edition
Chapter 4:pInternet Control Message Protocol
1
CISNTWK-11PermissionsObjectives
• Understand the Internet Control Message ProtocolT d bl h f I C l• Test and troubleshoot sequences for Internet Control Message Protocol
• Work with Internet Control Message Protocol packet fieldsWork with Internet Control Message Protocol packet fields and functions
2Internet Control Message Protocol 2
CISNTWK-11PermissionsUnderstanding The Internet Control Message ProtocolUnderstanding The Internet Control Message Protocol
• ICMP – Provides information about network connectivity and routing
behavior– Provides a way to return information to senders– Messages are nothing more than specially formatted IP datagrams
3Internet Control Message Protocol 3
CISNTWK-11PermissionsOverview of RFC 792
• RFC 792 P id b i ifi ti f ll ICMP– Provides basic specification for all ICMP messages
• According to RFC 792, ICMP– Provides mechanism for gateways (routers) or destination hosts to g y ( )
communicate with source hosts– Takes the form of specially formatted IP datagrams– Required in some implementations of TCP/IPRequired in some implementations of TCP/IP– Reports errors about processing of non-ICMP IP datagrams
4Internet Control Message Protocol 4
CISNTWK-11PermissionsICMP’s Vital Role on IP Networks
• ICMP’s job is to provide information aboutIP ti b h i– IP routing behavior
– Reachability– Routes between specific pairs of IP hosts– Delivery errors
5Internet Control Message Protocol 5
CISNTWK-11Permissions
6Internet Control Message Protocol 6
CISNTWK-11Permissions
7Internet Control Message Protocol 7
CISNTWK-11PermissionsTesting And Troubleshooting Sequences For ICMP:
Connectivity Testing with Ping
• PING and TRACEROUTE– Rely on ICMP to perform connectivity tests and path discovery
• PING– Actually a form of ICMP Echo communication
• ICMP Echo Request• ICMP Echo Request– Connectionless process with no guarantee of delivery
8Internet Control Message Protocol 8
CISNTWK-11Permissions
9Internet Control Message Protocol 9
CISNTWK-11Permissions
Connectivity Testing with PING (continued)(continued)
• Most PING utilities S d i f l E h R t t th t t i d t– Send series of several Echo Requests to the target in order to obtain average response time
• PING utility– Sends series of four ICMP Echo Requests with a one-second
ICMP Echo Reply Timeout value– Supports IP addresses and namespp– Uses traditional name resolution processes
10Internet Control Message Protocol 10
CISNTWK-11Permissions
11Internet Control Message Protocol 11
CISNTWK-11Permissions
Connectivity Testing with PING (cont’d)(cont d)
• Parameters available with the PING utilityl i– -l size
– -f– -i TTL– -v TOS, – -w timeout
12Internet Control Message Protocol 12
CISNTWK-11PermissionsPath Discovery with TRACEROUTEy
• TRACEROUTE utilityU t t i t id tif th f d t t t h t– Uses route tracing to identify a path from sender to target host
– Available parameters• -d• h• -h• -w
13Internet Control Message Protocol 13
CISNTWK-11Permissions
14Internet Control Message Protocol 14
CISNTWK-11PermissionsPath Discovery with PATHPING
• PATHPING utility C d li tilit– Command-line utility
– Uses ICMP Echo packets to test router and link latency, as well as packet loss
• PMTU Discovery– Enables source to learn the currently supported MTU across an
entire pathp
15Internet Control Message Protocol 15
CISNTWK-11PermissionsPath MTU Discovery with ICMP
• PMTU processH t A d 4 096 b t k t t H t B– Host A sends a 4,096-byte packet to Host B
– Router 1 discards packet and sends Host A a “Fragmentation Needed and Don’t Fragment Flag was Set” ICMP packet
– Host A re-sends packet using maximum MTU size of 1,500– Router 1 strips off token ring header and applies Ethernet header
before forwarding packet
16Internet Control Message Protocol 16
CISNTWK-11Permissions
17Internet Control Message Protocol 17
CISNTWK-11Permissions
18Internet Control Message Protocol 18
CISNTWK-11PermissionsRouting Sequences for ICMP
• ICMP C id ti i f ti t h t– Can provide some routing information to hosts
– Used by routers to provide a default gateway setting to a host• Routers
– Can send ICMP messages
19Internet Control Message Protocol 19
CISNTWK-11PermissionsRouter Discovery
• IP hosts T i ll l b t t th h l fi ti f– Typically learn about routes through manual configuration of
• Default gateway parameter and redirection messages– Send ICMP Router Solicitations and routers reply with ICMP
R Ad iRouter Advertisements
• By default– ICMP Router Solicitation packet is sent to the all-routers IP p
multicast address 224.0.0.2
20Internet Control Message Protocol 20
CISNTWK-11Permissions
21Internet Control Message Protocol 21
CISNTWK-11PermissionsRouter Advertising
• ICMP Router Advertisements All h t t i l l b t il bl t– Allow hosts to passively learn about available routes
• Default Lifetime value for route entries– 30 minutes
• Default advertising rate– Between seven and ten minutes
22Internet Control Message Protocol 22
CISNTWK-11Permissions
23Internet Control Message Protocol 23
CISNTWK-11PermissionsSecurity Issues For ICMP
• ICMP C b d i f ti th i t l– Can be used as an information-gathering tool
• IP address scanning process– One method of obtaining a list of the active hostsg
• IP host probe– Performed by sending a PING packet to each host within a range
and noting the responsesand noting the responses
24Internet Control Message Protocol 24
CISNTWK-11PermissionsICMP Redirect Attack
• ICMPU d t i l t t ffi fl b t h t– Used to manipulate traffic flow between hosts
• Attacker can – Redirect traffic to his machine and perform any number of man-in-p y
the-middle style attacks
25Internet Control Message Protocol 25
CISNTWK-11PermissionsICMP Router Discovery
• Susceptible to attack on the local network segmentD i di• During discovery process– Router solicitation message finds its way to attacker’s machine
• Timing is criticalTiming is critical
26Internet Control Message Protocol 26
CISNTWK-11PermissionsInverse Mapping
• One method of determining live targets on a network Fi lki• Firewalking– Describes the concept of walking a firewall ACL or ruleset to
determine what it filters and how– A two-phase attack method
27Internet Control Message Protocol 27
CISNTWK-11PermissionsICMP Packet Fields and Functions
• Value 1 in IP header Protocol field D t th t ICMP h d f ll th IP h d– Denotes that an ICMP header follows the IP header
• ICMP header portions– Constant portionp– Variable portion
28Internet Control Message Protocol 28
CISNTWK-11Permissions
29Internet Control Message Protocol 29
CISNTWK-11PermissionsConstant ICMP Fields
• ICMP packets contain three required fields after the IP headerheader– Type– Code– Checksum
30Internet Control Message Protocol 30
CISNTWK-11Permissions
The Variable ICMP Structures and FunctionsFunctions
• ICMP Type 0 U d f E h R l k t– Used for Echo Reply packets
• ICMP Type 8– Used for Echo Request packetsq p
• RFC 792– Identifier and Sequence fields are used to aid in matching Echo
messages with Echo Repliesmessages with Echo Replies
31Internet Control Message Protocol 31
CISNTWK-11Permissions
32Internet Control Message Protocol 32
CISNTWK-11Permissions
33Internet Control Message Protocol 33
CISNTWK-11Permissions
Type 3: Destination Unreachable PacketsPackets
• Network troubleshooters Oft l l t k ICMP D ti ti U h bl k t– Often closely track ICMP Destination Unreachable packets
• Host that sends Destination Unreachable packet – Must return IP header and eight bytes of original datagram that g y g g
triggered this response
• Total of 16 (0 through 15) possible codesCurrently assigned to ICMP Destination Unreachable type number– Currently assigned to ICMP Destination Unreachable type number
34Internet Control Message Protocol 34
CISNTWK-11Permissions
35Internet Control Message Protocol 35
CISNTWK-11Permissions
36Internet Control Message Protocol 36
CISNTWK-11PermissionsType 4: Source Quench
• Router or host M S Q h t i di t th t it i b i t d– May use Source Quench to indicate that it is becoming congested or overloaded
• By default– Most current routers do not issue Source Quench messages
37Internet Control Message Protocol 37
CISNTWK-11Permissions
38Internet Control Message Protocol 38
CISNTWK-11PermissionsType 5: Redirect
• Routers S d ICMP R di t t h t t i di t th t f bl– Send ICMP Redirect messages to hosts to indicate that a preferable route exists
• ICMP Redirect packet– Four-byte field for the preferred gateway’s address
• IdeallyClients should update routing tables to indicate optimal path– Clients should update routing tables to indicate optimal path
39Internet Control Message Protocol 39
CISNTWK-11Permissions
Types 9 and 10: Router Advertisement and Router
Solicitation• ICMP Router Advertisement packets include the following
fieldsfields – # of Addresses– Address Size– Lifetime– Router Address 1– Precedence Level 1Precedence Level 1– Router Address 2 and Precedence Level 2
40Internet Control Message Protocol 40
CISNTWK-11PermissionsType 11: Time Exceeded
• Routers or hostsC d th ICMP k t– Can send these ICMP packets
• Codes that can be used – Code 0 and Code 1
41Internet Control Message Protocol 41
CISNTWK-11PermissionsType 12: Parameter Problem
• Errors indicate problems not covered by other ICMP error messagesmessages
• Codes used in ICMP Parameter Problem messages– Code 0: Pointer Indicates the Error– Code 1: Missing a Required Option– Code 2: Bad Length
42Internet Control Message Protocol 42
CISNTWK-11Permissions
Types 13 and 14: Timestamp and Timestamp ReplyTimestamp Reply
• Defined as a method for one IP host to obtain the current timetime
• Value returned – The number in milliseconds since midnight, Universal Time (UT)g ( )
• ICMP Timestamp and Timestamp Reply packets – Use the same structure
43Internet Control Message Protocol 43
CISNTWK-11Permissions
Types 15 and 16: Information Request and Information ReplyRequest and Information Reply
• Provides a way for a host to find out what network it is onICMP I f i R d I f i R l k• ICMP Information Request and Information Reply packets – Use the same structure
44Internet Control Message Protocol 44
CISNTWK-11Permissions
Types 17 and 18: Address Mask Request and Address Mask ReplyRequest and Address Mask Reply
• Intended to provide diskless hosts with a method to determine their network mask informationdetermine their network mask information
• ICMP Address Mask Request and Address Mask Reply packets p– Use the same structure
45Internet Control Message Protocol 45
CISNTWK-11PermissionsType 30: TRACEROUTE
• Documented in RFC 1393 but not currently in useR i dd d f i li i h IP i• Requires some added functionality in the IP routers it traverses
• Adding functionality to routersAdding functionality to routers– Costly and requires numerous resources to build, implement, and
test new code
46Internet Control Message Protocol 46
CISNTWK-11Permissions
47Internet Control Message Protocol 47
CISNTWK-11PermissionsSummary
• ICMP P id it l f db k b t IP ti d d li bl– Provides vital feedback about IP routing and delivery problems
– Really part of IP itself– Support is required in any standards-compliant IP implementation– Used by PING and TRACEROUTE to measure round-trip times– Supports PMTU Discovery between a sender and a receiver
48Internet Control Message Protocol 48
CISNTWK-11PermissionsSummary (continued)
• Route and routing error information from ICMP D i f t f ICMP– Derives from numerous types of ICMP messages
• ICMP– Supports route optimization through its ICMP Redirect message pp p g g
type– Security issues are important– Message structures and functions can varyMessage structures and functions can vary
49Internet Control Message Protocol 49