HP VPN Firewall Appliances Network Management Configuration Guide
696
• Upon receiving the first fragment of an IPv6 datagram with the destination IP address being the
local address, the device starts a timer. If the timer expires before all fragments arrive, an ICMPv6
Fragment Reassembly Timeout message is sent to the source.
If large quantities of malicious packets are received, the performance of a device degrades greatly
because it must send back ICMP Time Exceeded messages. You can disable sending ICMPv6 Time
Exceeded messages.
To enable sending ICMPv6 time exceeded messages:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enable sending ICMPv6 Time
Exceeded messages.
ipv6 hoplimit-expires enable
Optional.
Enabled by default.
Enabling sending ICMPv6 destination unreachable messages
If the device fails to forward a received IPv6 packet because of one of the following reasons, it drops the
packet and sends a corresponding ICMPv6 Destination Unreachable error message to the source.
• If no route is available for forwarding the packet, the device sends a "no route to destination"
ICMPv6 error message to the source.
• If the device fails to deliver the packet because the destination is beyond the scope of the source
IPv6 address (for example, the source IPv6 address of the packet is a link-local address whereas the
destination IPv6 address of the packet is a global unicast address), the device sends the source a
"beyond scope of source address" ICMPv6 error message.
• If the device fails to resolve the corresponding link layer address of the destination IPv6 address, the
device sends the source an "address unreachable" ICMPv6 error message.
• If the packet with the destination being local and transport layer protocol being UDP and the
packet's destination port number does not match the running process, the device sends the source
a "port unreachable" ICMPv6 error message.
If an attacker sends abnormal traffic that causes the device to generate ICMPv6 destination unreachable
messages, end users might be affected. To prevent such attacks, you can disable the device from sending
ICMPv6 destination unreachable messages.
To enable sending ICMPv6 destination unreachable messages:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enable sending ICMPv6 destination
unreachable messages.
ipv6 unreachables enable Disabled by default.
Enabling sending ICMPv6 redirect messages
When a device receives a large number of attack packets that require the device to send ICMPv6 redirect
packets, the device's performance is degraded for processing these packets. To protect the device from
such attacks, you can use the undo form of the following command to disable sending ICMPV6 redirect
packets.