R3303-HP HSR6800 Routers Layer 3 - IP Services Configuration Guide
125
Table 5 Handling ICMP messages
Device mode ICMP messages sent ICMP messages received Remarks
Common mode Common ICMP messages
Common ICMP messages
Extension information in
extended ICMP messages is
not processed.
Compliant mode
Common ICMP messages
Extended ICMP messages
with a length field
Common ICMP messages
Extended ICMP messages
with a length field
Extended ICMP messages
without a length field are
handled as common ICMP
messages.
Non-compliant
mode
Common ICMP messages
Extended ICMP messages
without a length field
All three types of ICMP
messages
N/A
NOTE:
ICMP/ICMPv6 messages that can carry extension information include only IPv4 redirect messages,
IPv4/IPv6 time exceeded messages, and IPv4/IPv6 destination unreachable messages.
Configuration procedure
To enable support for ICMP extensions:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enable support for ICMP
extensions.
• In compliant mode:
ip icmp-extensions compliant
• In non-compliant mode:
ip icmp-extensions non-compliant
Optional.
Disabled by default.
After support for ICMP extensions is disabled, no ICMP message sent by the device contains extension
information.
Configuring IP virtual fragment reassembly
To prevent each service module (such as IPsec, NAT and firewall) from processing packet fragments that
do not arrive in order, you can enable the IP virtual fragment reassembly feature, which can virtually
reassemble the fragments of a datagram through fragment check, sequencing and caching, ensuring
fragments arrive at each service module in order.
The IP virtual fragment reassembly feature can detect the following types of fragment attacks, and discard
the attack fragments for security:
• Tiny fragment attack—If the first fragment of an incoming datagram is very small and the Layer 4
(such as TCP and UDP) header is placed into the second fragment, the datagram is considered a
tiny fragment attack.
• Overlapping fragment attack—If two consecutive incoming fragments are identical or overlap
each other, they are considered an overlapping fragment attack.