Re: ICMP and BlackICE (fwd)

[James Robbins <robbins.7 () OSU EDU>]

At 08:53 AM 9/8/00, Jim Wildman wrote:
>I've found that out as well.  For instance, aggressive icmp blocking
>breaks www.four11.com.
>
>But which ones?

OK, here is the long answer.  This is from a web page I'm trying
to set up which will show the packet formats in graphical format.
Sorry for the incompleteness of the information or for any errors.
If you see any corrections that need to be made please let me
know.  I put this together just to try to get all the info of interest
to me in one spot.

Also, I should point out that blocking Echo doesn't do much good
when someone can use one of several other methods to see if
there is a machine active on a given address.

Anyway, here is the info with the graphics cut out:

ICMP DATAGRAM FORMAT:
        (this is the data field in the IP datagram)
Type
        The contents of the Type Field is given in the following table:

Type Field              ICMP Datagram Type              
       0                Echo Reply
       3                Destination Unreachable
       4                Source Quench
       5                Redirect (change a route)
       8                Echo Request
      11                Time Exceeded for a Datagram
      12                Parameter Problem on a Datagram
      13                Timestamp Request
      14                Timestamp Reply
      15                Information Request
      16                Information Reply
      17                Address Mask Request
      18                Address Mask Reply

Following are the specific ICMP Datagram formats for each type:

ECHO REQUEST / ECHO REPLY (Ping)

For Echo Request or Echo Reply the Code field is always 0.  The Identifier
and Sequence Number fields are used to match up requests and replies.  The
contents of the Optional Data field are returned to the sender unchanged by
the receiver.

UNREACHABLE DESTINATION

This message is sent when a datagram cannot be delivered.

The Code field is given in the following table:

Code            Meaning                         
   0    Network Unreachable
   1    Host Unreachable
   2    Protocol Unreachable
   3    Port Unreachable
   4    Fragmentation needed and "Don't Fragment Bit" is set
   5    Source Route Failed

The message also returns the header and first 64 bits of the datagram for
identification and error analysis.

SOURCE QUENCH (Datagram Flow Control)

If machine cannot keep up with the rate that a source is sending datagrams,
it sends a Source Quench message to the sender to ask the sender to slow
down.  Usually one Source Quench message is sent for every datagram that
must be discarded.
REDIRECT (Route Change Requests From Gateways)

This message is used to change routing tables in various machines.

The value of the Code field can be:

CODE                            Meaning                         
    0           Redirect datagrams for the Net
    1           Redirect datagrams for the Host
    2           Redirect datagrams for the Type of Service and the Net
    3           Redirect datagrams for the Type of Service and the Host

TIME EXCEEDED for a DATAGRAM

Sent when the Time To Live count of a datagram reaches zero and the machine
that is handling it discards it.

The Code field is set to:
        0 for a time to live count exceeded error and
        1 for a fragment reassembly time exceeded error.

PARAMETER PROBLEM

This message is sent if a problem is encountered with an illegal value in a
header field.

The Pointer field points to the octet of the datagram header that caused
the problem.
TIMESTAMP REQUEST / REPLY

The Identifier and Sequence Fields are used to associate specific replies
with the request that prompted them.

The Originator Timestamp field is filled in by the originator of the request.

The Receiver Timestamp is filled in immediately upon receipt of the request
at the destination.

The Transmitter Timestamp is filled in immediately before the destination
machine returns the reply.

INFORMATION REQUEST / REPLY (Obtaining a Network Address)

This message is somehow used to obtain the IP address of another machine on
the network.  It is used as an alternative to RARP.

The Identifier and Sequence fields are used to associate specific requests
with their replies.

ADDRESS MASK REQUEST / REPLY

This message is used to obtain a subnet mask for the network.  It may be
sent directly to the gateway or sent as a broadcast.

--
James A. Robbins
Senior Design Engineer, Network Engineer
The Ohio State University
Chemistry Department