F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices System Management and Maintenance Configuration Guide-6PW100

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

Step Command Remarks

2. Enable sending

ICMP error packets.

• Enable sending ICMP redirect

packets:

ip redirects enable

• Enable sending ICMP timeout

packets:

ip ttl-expires enable

• Enable sending ICMP destination

unreachable packets:

ip unreachables enable

Disabled by default.

When sending ICMP timeout packets is

disabled, the device does not send "TTL

timeout" ICMP error packets. However,

"reassembly timeout" error packets are

sent normally.

31B

Configuring IP virtual fragment reassembly

To prevent each service module (such as IPsec, NAT and firewall) from processing packet fragments that

do not arrive in order, you can enable the IP virtual fragment reassembly feature, which can virtually

reassemble the fragments of a datagram through fragment check, sequencing and caching, ensuring

fragments arrive at each service module in order.

The IP virtual fragment reassembly feature can detect the following types of fragment attacks, and discard

the attack fragments for security:

• Tiny fragment attack—If the first fragment of an incoming datagram is very small and the Layer 4

(such as TCP and UDP) header is placed into the second fragment, the datagram is considered a

tiny fragment attack.

• Overlapping fragment attack—If two consecutive incoming fragments are identical or overlap

each other, they are considered an overlapping fragment attack.

• Fragment-flood attack—If the number of concurrent reassemblies or the number of fragments per

datagram exceeds the upper limits, the reassemblies or fragments are considered a fragment-flood

attack.

153BConfiguration guidelines

• The IP virtual fragment reassembly feature only applies to incoming packets on an interface.

• The IP virtual fragment reassembly feature does not support load sharing. The fragments of an IP

datagram cannot arrive through different interfaces.

154BConfiguration procedure

To configure IP virtual fragment reassembly:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Enter VD view.

switchto vd vd-name

Required for a non-default

VD.

3. Enter security zone view.

zone name zone-name [ id zone-id ] Required.