Tag Archives: icmp

  • Pushing Firewall Admins into an ICMPv6 Frame of Mind

    ITdojo IPv6 TrainingPath MTU discovery (PMTUD) is far from a new concept to IT folk.  A sending node sets the Don’t Fragment bit in its IPv4 header which is the nodes way of telling any router along the journey to the packet’s destination that it may not fragment the packet into smaller parts.  The router, being an obedient device, honours the instructions in the packet and, when the exit interface does not support the size of the packet, it drops it (rather than fragmenting it).  Now, it is polite, but not required, for routers to tell you when they do such things.  The router that dropped your unfragmentable packet can (should) send you back an nice ICMP message that effectively says, “…just wanted you to know that the packet you just sent was too big to go out my interface so I dropped it.  The biggest MTU I can handle on that interface is ____________ bytes.  If you want to you can try again with an MTU no bigger than that.”.  This ICMP message originates from the router that dropped your packet and is sent back to you (also note that routers can be configured to quietly discard the packets, sending you no ICMP Packet-too-Big message).  The problem we have had for years is that firewall administrators, who live in a perpetual state of fear of all things ICMP, frequently disable ip unreachable packet generation on routers and also block most, if not all, incoming ICMP traffic from the Internet.  This was a problem in IPv4 which can provide for some interesting troubleshooting scenarios.  Disabling IP unreachables (using the ‘no ip unreachables’ command on Cisco routers) is considered a security best-practice even though it is widely known to cause PMTUD issues.  The problem persists in IPv6 and is arguably worse.

  • On the Practical Feasibility of Ping Sweeping IPv6 Networks

    The IPv6 address space is huge.  On paper each IPv6 subnet (/64) supports more than 18.4 quintillion hosts (millions, billions, trillions, quadrillions and then quintillions).  It’s an amazingly large number.  By every conceivable measure today we can’t contemplate a situation where anything but the tiniest portion of that address space will actually be utilized.  Assuming you never have more than a few hundred nodes on each local segment (a common and best practice using today’s technologies) the randomly generated addresses of your nodes are effectively hidden within the total number of possibilities.  Actually finding one of your nodes using an ICMP ping sweep becomes almost impossible.  We are no longer talking about playing the networking equivalent of Where’s Waldo?, that would be easy.  This is something completely different.