Internet Control Message Protocol

ICMP is part of IPv4, but is treated like a separate protocol. Every router and every computer is expected to "understand" ICMP. Most ICMP packets contain diagnostic information: They are sent back from the router to the source if the router discards packets, for example because the destination cannot be reached or the TTL has expired. The following principles apply:

• ICMP uses IP as the basis of communication by interpreting itself as a protocol of a higher layer, i. H. ICMP messages are encapsulated in IP packets.
• ICMP detects some error conditions but does not make IP a reliable protocol.
• ICMP analyzes errors in every IP packet, with the exception of those that carry an ICMP message.
• ICMP messages are not sent in response to packets to destination addresses that are multicast or broadcast addresses.
• ICMP messages only respond to a unique source IP address.

The ICMP packet types

The type of the ICMP packet is an 8- bit number at the beginning of the ICMP header . The numbers have the following meanings:

• 0 = echo (response)
• 1–2 = not assigned
• 3 = destination of the datagram cannot be reached
• 4 = request to throttle the parcel delivery ^†
• 5 = Redirection recommendation to another gateway on the same network with a faster connection to the destination
• 6 = alternative host address ^†
• 7 = not assigned
• 8 = request an echo
• 9 = offer of a router
• 10 = router recruitment
• 11 = timeout
• 12 = Problem with parameters of the datagram
• 13 = time stamp (facilitates time synchronization)
• 14 = timestamp (response)
• 15 = "Information request" ^† (to determine the network number, replaced by DHCP )
• 16 = "Information response" ^†
• 17 = request netmask ^†
• 18 = reply netmask ^†
• 19 = reserved (for security)
• 20–29 = reserved (for robustness experiments)
• 30 = traceroute ^†
• 31 = Error converting datagram ^†
• 32 = Mobile Host Redirect ^†
• 33 = Originally IPv6 Where-Are-You ^† (replaced by ICMPv6 )
• 34 = Originally IPv6 I-Am-Here ^† (replaced by ICMPv6 )
• 35 = Mobile Registration Request ^†
• 36 = Mobile Registration Reply ^†
• 37 = Domain Name Request ^†
• 38 = Domain Name Reply ^†
• 39 = SKIP ^†
• 40 = Photuris
• 41 = used by experimental mobility protocols such as Seamoby
• 42 = extended echo *
• 43 = extended echo (response) *
• 44-252 = not assigned
• 253 = experiment 1 according to RFC 3692
• 254 = Experiment 2 according to RFC 3692

[†] abolished

Time-to-Live

To prevent packets from being sent endlessly through a network (e.g. in a circle between several routers), a router reduces the TTL value by 1. When the TTL value reaches the value 0, the packet is deleted and the sender informs about this process via an ICMP message. Traceroute makes use of this mechanism .

In order to determine the route (the hops ) of a packet to a specific target host , the traceroute analysis program sends data packets with an incrementing Time-To-Live (TTL) (starting with 1) and waits for "Time to live exceeded in transit" or "Destination unreachable" messages as a reaction. Depending on the implementation or a selected option of Traceroute, these can be ICMP (e.g. under Windows) or UDP packets (e.g. under Linux).

construction

ICMP sends and receives a wide variety of messages. The ICMP message is indicated by protocol number 1 in the IP header. ICMPv6, on the other hand, has the protocol number 58. The ICMP message format consists of only a few fields:

The type field specifies the message. The code field interprets the message type more precisely. The data typically contains part of the original IP message. Some of the more common type-code combinations are:

In the case of many ICMP messages, an additional “Data” field contains more detailed information on the assignment of the ICMP message in the first 32-bit word. Often from the second data word onwards, the IP header of the initiating datagram and the first 32 bits of the packet are also transmitted. The “data” field can, however, also be misused to transmit user data ( ICMP tunneling ). The necessary error handling or error correction and the like must then be implemented at the application level.

Security-relevant aspects

The Internet Control Message Protocol can be used for a Denial-of-Service (DoS) or Distributed Denial-of-Service (DDoS) attack on a device. A device can also be misused by an attacker as part of a DDoS attack to attack a third device. Typical attack methods are the smurf attack , flooding or the ping of death . Another way of using the ICMP protocol is to use it for unauthorized data transmission via an ICMP tunnel connection.

Web links

• RFC 792 . - Internet Control Message Protocol . [Errata: RFC 792 ]. September 1989. (Updated by RFC 950  - English).
• RFC 1122 . - Requirements for Internet Hosts - Communication Layers . [Errata: RFC 1122 ]. October 1989. (Updated by RFC 1349  - also for further ICMP extensions - English).
• IANA ICMP Parameters - full list of ICMP types and codes

Individual evidence

1. ↑ Internet Control Message Protocol (ICMP) parameters. IANA, June 15, 2018, accessed December 9, 2018 . 
2. ^ J. Postel:  RFC 792  - Internet Control Message Protocol . September 1989. p. 18. ( DARPA Internet Program Protocol Specification. To p. 19 - English).
3. ↑ F. Gont:  RFC 6918 . - Formally Deprecating Some ICMPv4 Message Types . April 2013. (Replaces RFC 1788 - English).
4. ^ R. Bonica, R. Thomas, J. Linkova, C. Lenart, M. Boucadair:  RFC 8335 . - PROBE: A Utility for Probing Interfaces . February 2018. (Proposed Standard).