R2511-HP MSR Router Series Layer 3 - IP Services Configuration Guide(V5)
114
NOTE:
ICMP/ICMPv6 messages that can carry extension information include only IPv4 redirect messages,
IPv4/IPv6 time exceeded messages, and IPv4/IPv6 destination unreachable messages.
Configuration procedure
To enable support for ICMP extensions:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Enable support for ICMP
extensions.
• In compliant mode:
ip icmp-extensions compliant
• In non-compliant mode:
ip icmp-extensions non-compliant
Optional.
Disabled by default.
After support for ICMP extensions is disabled, no ICMP message sent by the device contains extension
information.
Configuring IP virtual fragment reassembly
To prevent each service module (such as IPsec, NAT and firewall) from processing packet fragments that
do not arrive in order, you can enable the IP virtual fragment reassembly feature, which can virtually
reassemble the fragments of a datagram through fragment check, sequencing and caching, ensuring
fragments arrive at each service module in order.
The IP virtual fragment reassembly feature can detect the following types of fragment attacks, and discard
the attack fragments for security:
• Tiny fragment attack—If the first fragment of an incoming datagram is very small and the Layer 4
(such as TCP and UDP) header is placed into the second fragment, the datagram is considered a
tiny fragment attack.
• Overlapping fragment attack—If two consecutive incoming fragments are identical or overlap
each other, they are considered an overlapping fragment attack.
• Fragment-flood attack—If the number of concurrent reassemblies or the number of fragments per
datagram exceeds the upper limits, the reassemblies or fragments are considered a fragment-flood
attack.
Configuration guidelines
• The IP virtual fragment reassembly feature only applies to incoming packets on an interface.
• The IP virtual fragment reassembly feature does not support load sharing. The fragments of an IP
datagram cannot arrive through different interfaces.