CCIE 400-101: Network Principles - ICMP Unreachable and ICMP Redirect

ICMP General Overview

  • IP in itself is not absolutely reliable, sometimes packets get dropped.
  • The purpose of ICMP messages is to provide feedback about problems in the communication path.
  • There is still no guarantee that packets will be delivered to their final destination. Some packets may even be undelivered without any report of their loss.
  • The higher level protocols (like TCP) must implement their own reliability procedures if reliable communication is required.

ICMP Unreachable

  • RFC 792 defines six different ICMP Destination Unreachable messages.
    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   |     Type      |     Code      |          Checksum             |
   |                             unused                            |
   |      Internet Header + 64 bits of Original Data Datagram      |

  • The Type is 3 and the Code varies from 0-5 depending on why the packet was discarded:
    • 0 = net unreachable;
    • 1 = host unreachable;
    • 2 = protocol unreachable;
    • 3 = port unreachable;
    • 4 = fragmentation needed and DF set;
    • 5 = source route failed;
  • Codes 0, 1, 4, and 5 may be received from a gateway. Codes 2 an 3 may be received from a host.
  • Internet Header + 64 bits of Original Data Datagram are used by the host to match the message to the appropriate process. Port numbers are assumed to be in the first 64 bits of the original datagram's data.

Network Unreachable (0)

  • When a router sends a Network Unreachable message, it is saying that it has no way to reach the destination IP address.
  • If a device tries to ping but there is a router in the path with no route to the destination network, it will send the Network Unreachable message.
  • This can also happen if a link to reach the network is down and there are no alternate paths.
  • A Network Unreachable message could also be the result of a misconfigured route. Using the previous IP address as an example, assume that the administrator wanted to add a static route but he accidentally configured (default route is not set). The packet would not match this route, it would be dropped, and a Network Unreachable message would be sent to the source.

Host Unreachable (1)

  • The Host Unreachable message is sent by the last router in the path - directly connected to the destination network.
  • This message is generated when the router sends an ARP request on the directly attached network looking for the MAC address of the destination IP but never receives a reply, and hence, is not able to forward the packet to its final destination.
  • The router then issues a Host Unreachable message back to the originator.
  • The Host Unreachable message implies that the path across the communicating devices is working. The packet has been forwarded all the way through the network and has arrived successfully at the last router in the path.

Port Unreachable (3)

  • Unlike the Network Unreachable and Host Unreachable messages which come from routers, the Port Unreachable message comes from a host.
  • The Port Unreachable message indicates that the packet got all the way to its final destination but when the packet was processed by a higher layer protocol, the port process did not exist.
  • The protocol handler then reported the situation with a Port Unreachable message.
  • The nice thing about a Port Unreachable message is that it confirms proper end-to-end IP operation and the presence of the destination host.

Protocol Unreachable (2), Fragmentation Needed and DF Set (4), and Source Route Failed (5)

  • These three ICMP Unreachable messages are rare, as compared to the previous three, which are the most common. 
  • The Protocol Unreachable message simply means that the destination host did not support that protocol. This could happen, for example, when OSPF packets are sent to a RIP router. Since the router doesn't have any OSPF processes enabled, the entire protocol is unreachable. 
  • The Fragmentation Needed and DF Set is self-explanatory. The originating device set the DF bit in the IP flag field, so the receiving router cannot fragment the packet. If the router has a smaller MTU and fragmentation is not allowed, the packet is discarded and the ICMP message is returned. 
  • Did not find much information about the Source Route Failed message but this message might occur when source routing is implemented. Normally, packet forwarding is destination-based, but IP options can be used to specify the route a packet takes through the network. This is called source routing. The Source Route Failed message is usually generated when a router cannot forward the packet because source routing is enforced in the packet but the required route does not exist.
  • Bonus: There are two IP options that support source routing. Both options include a list of IP addresses specifying the routers that must be used to reach the destination. Strict source routing means that the path specified in the option must be used exactly, in sequence, with no other routers permitted to handle the packet at all. In contrast, loose source routing specifies a list of IP addresses that must be followed in sequence, but having intervening hops in between the devices on the list is allowed.

ICMP Redirect

  • ICMP Redirect message is sent by a router to notify a host that a better route is available for a particular destination.
  • A host should never send an ICMP Redirect message; Redirects must be sent only by gateways.
  • For example, in the following diagram, Host H's default gateway is R1. To reach the remote PC, Host H would send the traffic to R1 but clearly a better path in the same segment, through R2 directly, is available. R1 realizes this situation and sends an ICMP Redirect message to Host H, who then updates its gateway information accordingly.

Example debug message:  *Mar 18 06:28:54: ICMP:redirect sent to for dest, use gw

  • R1 cannot, however, send Redirect messages at its own will. The router must fulfill specific requirements first.
  • Cisco routers send ICMP Redirect messages when all of the following conditions are met:
    • The incoming interface is the same interface on which the packet gets routed out.
    • The subnet of the source IP address is on the same subnet of the next-hop IP address of the routed packet.
    • The packet is not source routed.
    • The kernel is configured to send Redirects (By default it is but can be disabled on a per-interface basis with no icmp redirects.)
  • ICMP Redirects are disabled by default if HSRP is configured on the interface.
  • ICMP Redirects generally indicate a badly designed network.