Error and Control Messages in the Internet Protocol Extranormal communication among routers and hosts is sometimes necessary to: Report errors Handle abnormal conditions Update routing information The Internet Protocol defines a single mechanism for these types of messages

The Internet Control Message Protocol (ICMP) Normally generated by and intended for the IP software Two levels of encapsulation:

ICMP is for Error Reporting Errors are reported to a datagram’s original sender It is the sender’s responsibility to take appropriate action Exception: ICMP messages are not generated for errors that result from datagrams carrying ICMP messages

ICMP Message Format All ICMP messages begin with the same three fields: TYPE (1 octet) - identifies the message CODE (1 octet) - information about the subtype CHECKSUM (2 octets) - covers the ICMP message ICMP error messages always include the header and first 64 data bits of the datagram causing the problem

The ICMP TYPE Field Type Field ICMP Message Type ------------- -------------------------- 0 Echo Reply 3 Destination Unreachable 4 Source Quench 5 Redirect 8 Echo Request 11 Time Exceeded for Datagram 12 Parameter Problem on Datagram 13 Timestamp Request 14 Timestamp Reply 15 Information Request (obsolete) 16 Information Reply (obsolete) 17 Address Mask Request 18 Address Mask Reply

Echo Request and Reply Messages IDENTIFIER and SEQUENCE NUMBER Used by the sender to match replies with requests

Destination Unreachable Messages Sent when a router cannot deliver or forward a datagram

Destination Unreachable CODE Field Code Value Meaning -------------- ----------- 0 Network Unreachable 1 Host Unreachable 2 Protocol Unreachable 3 Port Unreachable 4 Fragmentation needed and DF set 5 Source Route Failed 6 Destination Network unknown 7 Destination Host Unknown 8 Source Host Isolated 9 Comm. Administratively prohibited (network) 10 Comm. Administratively prohibited (host) 11 Network unreachable for type of service 12 Host unreachable for type of service

Congestion and Datagram Flow Control Most routers have a limited queue in which to store arriving datagrams Congestion - a router is overrun with traffic High-speed computer sends datagrams faster than a router can retransmit them Many computers send datagrams to the same router at once

Source Quench Message Congested routers send one for every datagram they drop:

Source Quench Messages Hosts that receive source quench messages should stop sending datagrams to that router (temporarily) When it hasn’t received a source quench message in a while, the host can start gradually increasing its traffic again

Redirect Messages Hosts initialize routing table at startup When a router detects a host using a nonoptimal route it sends the host a ICMP redirect message Net 1 Net 2 Net 3 R1 R2 H

Redirect Messages Code Value Meaning -------------- ----------- -------------- ----------- 0 Redirect datagrams for the Net (obsolete) 1 Redirect datagrams for the Host 2 Redirect datagrams for the Type of Service and Net 3 Redirect datagrams for the Type of Service and Host

Time Exceeded Messages Code 0 - Datagram dropped because TTL reached 0 Code 1 - Datagram dropped because fragment reassembly time exceeded

ICMP – Security Issues ICMP can be a source of security vulnerabilities: Flaws in ICMP implementation can be exploited Recall the teardrop vulnerability in IP ICMP is well suited for denial-of-service attacks Anyone notice the –f (flood) option to ping? According to the man page: “This can be very hard on a network and should be used with caution.”

Ping of Death Attacker constructs an ICMP echo request message containing 65,510 data octets and sends it to a victim host:

Ping of Death (cont) The total size of the resulting datagram (65538 octets) is larger than the 65,536 octet limit specified by IP Several systems did not handle this oversized IP datagram properly Hang Crash Reboot Fixed by software patches

Smurf Attacker sends ICMP echo request messages to a broadcast address at an intermediate site Broadcast address = a copy of the datagram is delivered to every host connected to a specified network For some broadcast address, a single request could generate replies from dozens or hundreds of hosts The source address in each request packet is spoofed so that replies are sent to a victim machine Result: the victim’s machine/network is flooded by ICMP echo replies Many sites have reconfigured their machines so that their machines do not respond to ICMP echo requests sent to a broadcast address

Smurf (cont)

ICMP - Summary ICMP provides a mechanism for extranormal communication among routers and hosts Echo request/reply Destination unreachable Source quench Redirect Time exceeded Sometimes incoming ICMP messages are blocked for security reasons