H3C Technologies H3C SecPath F1000-E User Manual

23

•

If a received IPv6 packet’s destination IP address is not a local address and its hop limit is 1, the

device sends an ICMPv6 Hop Limit Exceeded message to the source.

•

Upon receiving the first fragment of an IPv6 datagram with the destination IP address being the
local address, the device starts a timer. If the timer expires before all the fragments arrive, an

ICMPv6 Fragment Reassembly Timeout message is sent to the source.

If large amounts of malicious packets are received, the performance of a device degrades greatly

because it has to send back ICMP Time Exceeded messages. You can disable sending of ICMPv6 Time

Exceeded messages.
Follow these steps to enable sending of ICMPv6 time exceeded messages:

To do…

Use the command…

Remarks

Enter system view

system-view

—

Enable sending of ICMPv6 Time

Exceeded messages

ipv6 hoplimit-expires enable

Optional
Enabled by default.

Enabling Sending of ICMPv6 Destination Unreachable

Messages

If the device fails to forward a received IPv6 packet due to one of the following reasons, it drops the

packet and sends a corresponding ICMPv6 Destination Unreachable error message to the source.

•

If no route is available for forwarding the packet, the device sends a "no route to destination"
ICMPv6 error message to the source.

•

If the device fails to forward the packet due to administrative prohibition (such as a firewall filter or
an ACL), the device sends the source a "destination network administratively prohibited" ICMPv6

error message.

•

If the device fails to deliver the packet because the destination is beyond the scope of the source
IPv6 address (for example, the source IPv6 address of the packet is a link-local address whereas the

destination IPv6 address of the packet is a global unicast address), the device sends the source a

"beyond scope of source address" ICMPv6 error message.

•

If the device fails to resolve the corresponding link layer address of the destination IPv6 address, the

device sends the source an "address unreachable" ICMPv6 error message.

•

If the packet with the destination being local and transport layer protocol being UDP and the

packet’s destination port number does not match the running process, the device sends the source
a "port unreachable" ICMPv6 error message.

If an attacker sends abnormal traffic that causes the device to generate ICMPv6 destination unreachable

messages, end users may be affected. To prevent such attacks, you can disable the device from sending

ICMPv6 destination unreachable messages.
Follow these steps to enable sending of ICMPv6 destination unreachable messages:

To do…

Use the command…

Remarks

Enter system view

system-view

—

Enable sending of ICMPv6 destination
unreachable messages

ipv6 unreachables enable

Required
Disabled by default.