HP 6125G HP 6125G & 6125G/XG Blade Switches Layer 3 - IP Services Conf - Page 105
Enabling replying to multicast echo requests, Enabling sending of ICMPv6 time exceeded messages
View all HP 6125G manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 105 highlights
Step Command 2. Configure the capacity ipv6 icmp-error { bucket and update interval of bucket-size | ratelimit the token bucket. interval } * Remarks Optional. By default, the capacity of a token bucket is 10 and the update interval is 100 milliseconds. A maximum of 10 ICMPv6 error packets can be sent within 100 milliseconds. The update interval "0" indicates that the number of ICMPv6 error packets sent is not restricted. Enabling replying to multicast echo requests If hosts are configured to answer multicast echo requests, an attacker can use this mechanism to attack a host. For example, if Host A (an attacker) sends an echo request with the source being Host B to a multicast address, all the hosts in the multicast group will send echo replies to Host B. To prevent such an attack, disable a device from answering multicast echo requests by default. In some application scenarios, however, you must enable the device to answer multicast echo requests. To enable replying to multicast echo requests: Step 1. Enter system view. 2. Enable replying to multicast echo requests. Command system-view ipv6 icmpv6 multicast-echo-reply enable Remarks N/A Not enabled by default Enabling sending of ICMPv6 time exceeded messages A device sends out an ICMPv6 Time Exceeded message in the following situations: • If a received IPv6 packet's destination IP address is not a local address and its hop limit is 1, the device sends an ICMPv6 Hop Limit Exceeded message to the source. • Upon receiving the first fragment of an IPv6 datagram with the destination IP address being the local address, the device starts a timer. If the timer expires before all the fragments arrive, an ICMPv6 Fragment Reassembly Timeout message is sent to the source. If large quantities of malicious packets are received, the performance of a device degrades greatly because it must send back ICMP Time Exceeded messages. You can disable sending of ICMPv6 Time Exceeded messages. To enable sending of ICMPv6 time exceeded messages: Step 1. Enter system view. 2. Enable sending of ICMPv6 Time Exceeded messages. Command system-view ipv6 hoplimit-expires enable Remarks N/A Optional. Enabled by default. 97