R3102-R3103-HP 6600/HSR6600 Routers Layer 3 - IP Services Configuration Guide
125
• Extended ICMP messages without a length field—Carry extension information but does not contain
a length field. Such an ICMP message does not comply with RFC 4884.
Based on how these messages are handled, the device can work in one of these modes: common mode,
compliant mode, and non-compliant mode. Table 5 sh
ows how ICMP messages are handled in different
working modes.
Table 5 Handling ICMP messages
Device mode ICMP messages sent ICMP messages received Remarks
Common mode Common ICMP messages
Common ICMP messages
Extension information in
extended ICMP messages is
not processed.
Compliant mode
Common ICMP messages
Extended ICMP messages
with a length field
Common ICMP messages
Extended ICMP messages
with a length field
Extended ICMP messages
without a length field are
handled as common ICMP
messages.
Non-compliant
mode
Common ICMP messages
Extended ICMP messages
without a length field
All three types of ICMP
messages
N/A
NOTE:
ICMP/ICMPv6 messages that can carry extension information include only IPv4 redirect messages,
IPv4/IPv6 time exceeded messages, and IPv4/IPv6 destination unreachable messages.
Configuration procedure
To enable support for ICMP extensions:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enable support for ICMP
extensions.
• In compliant mode:
ip icmp-extensions compliant
• In non-compliant mode:
ip icmp-extensions non-compliant
Optional.
Disabled by default.
After support for ICMP extensions is disabled, no ICMP message sent by the device contains extension
information.
Configuring IP virtual fragment reassembly
To prevent each service module (such as IPsec, NAT and firewall) from processing packet fragments that
do not arrive in order, you can enable the IP virtual fragment reassembly feature, which can virtually
reassemble the fragments of a datagram through fragment check, sequencing and caching, ensuring
fragments arrive at each service module in order.
The IP virtual fragment reassembly feature can detect the following types of fragment attacks, and discard
the attack fragments for security: