Internet Control Message Protocol

ICMP is a maintenance protocol specified in RFC 792 and is normally considered to be part of the IP layer. ICMP messages are encapsulated within IP datagrams, so that they can be routed throughout an internetwork. ICMP is used by Windows 2000 to:

  • Build and maintain route tables.

  • Assist in PMTU discovery.

  • Diagnose problems.

  • Adjust flow control to prevent link or router saturation.

  • Perform router discovery.

Maintaining Route Tables

A Windows 2000 host is normally configured with an IP address, subnet mask, and default gateway. When TCP/IP is initialized, a set of routes based on this configuration is created in the host's IP routing table as discussed in "Viewing the IP Routing Table" earlier in this chapter. If the host forwards an IP datagram to its default gateway and a better route exists through a router that has an interface on the same network segment as the sending host and the default gateway, the host's default gateway forwards the datagram and sends an ICMP Redirect message to the host informing it of the IP address of the better router to use to reach the destination IP address.

When a Windows 2000–based computer receives an ICMP Redirect message, IP verifies that it came from the first-hop gateway in the current route and that the gateway is on a directly connected network. If so, a host route with a 10-minute lifetime is added to the route table for that destination IP address. If the ICMP Redirect message did not come from the first-hop gateway in the current route, or if that gateway is not on a directly connected network, the ICMP Redirect message is ignored.

PMTU Discovery

Windows 2000 employs Path Maximum Transmission Unit (PMTU) discovery described in RFC 1191 for TCP connections.

When a connection is established, the two hosts involved exchange their TCP maximum segment size (MSS) values. The smaller of the two MSS values is used for the connection. Previously, the MSS for a host has been the MTU at the link layer minus 40 bytes for the IP and TCP headers. However, support for additional TCP options, such as timestamps, has increased the typical TCP and IP header to 52 or more bytes. The relationship between IP MTU and TCP MSS is shown in Figure 2.2.


Figure 2.2 IP MTU and TCP MSS

By default, all Windows 2000 TCP segments are sent with the Don't Fragment flag set in the IP header. Routers that attempt to fragment the TCP segment discover the Don't Fragment flag. At this point, the router does one of the following:

  • The router discards the IP datagram and sends an ICMP Destination Unreachable-Fragmentation Needed and DF Set message back to the sending host. This is the original purpose of these messages.

  • The router discards the IP datagram and sends (to the sending host) an ICMP Destination Unreachable-Fragmentation Needed and DF Set message containing the MTU of the next hop. The MTU that is allowed for the next hop is stored in the low-order 16 bits of the ICMP header field that is labeled "unused" in RFC 792. See RFC 1191, section 4, for the format of this message. This is a PMTU-compliant router.

  • The router discards the IP datagram without sending an ICMP Destination Unreachable-Fragmentation Needed and DF Set message. This type of router is known as a PMTU black hole .

Upon receipt of the ICMP Destination Unreachable-Fragmentation Needed and DF Set message containing the MTU of the next hop, the Windows 2000 implementation of TCP will adjust its MSS for the new MTU so that any further packets sent on the connection will be no larger than the maximum size that can traverse the path without fragmentation. The minimum MTU permitted by RFC 791 is 68 bytes, and Windows 2000 TCP/IP enforces this limit.

If there are non-PMTU-compliant routers or PMTU black hole routers on your IP internetwork, it might be necessary to change the configuration of PMTU Discovery behavior. You can reduce the problems caused by black hole routers by setting the values of the EnablePMTUBHDetect and EnablePMTUDiscovery registry entries (HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters) to 1. Explanations of these registry entries are as follows:

EnablePMTUBHDetect    Adjusts the PMTU discovery algorithm to attempt to detect PMTU black hole routers. PMTU Black Hole detection is disabled by default.

EnablePMTUDiscovery    Enables or disables the PMTU discovery mechanism. When PMTU discovery is disabled, TCP connection traffic is sent without setting the Don't Fragment flag to 1. PMTU discovery is enabled by default.

To reduce problems caused by black hole routers

  1. In a registry editor, navigate to HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters.

  2. Select the EnablePMTUBHDetect entry, and change the value to 1.

  3. Close the registry editor.

The PMTU between two hosts can be discovered manually using the ping command with the -f (don't fragment) switch, as follows:

ping -f -n < number of pings > -l < size > < destination IP address >

The size parameter can be varied until the MTU of the next hop is discovered. Note that the size parameter used by Ping is the size of the optional data in the ICMP Echo Request and does not include the ICMP Echo Request header (8 bytes long) and the IP header (normally 20 bytes long). Therefore, for Ethernet, the maximum ping buffer size is 1500 – 8 – 20 or 1472. The following example shows the results of pinging across a router on an Ethernet network with a buffer size of 1472 and then 1473:

C:\>ping -f -n 1 -l 1472

Pinging with 1472 bytes of data:

Reply from bytes=1472 time<10ms TTL=128

Ping statistics for

Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\>ping -f -n 1 -l 1473

Pinging with 1473 bytes of data:

Packet needs to be fragmented but DF set.

Ping statistics for

Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

In this example, the IP layer returned an ICMP error message that Ping interpreted. If the router is a PMTU black hole router, the ICMP Echo Reply sent by Ping cannot be answered once its size exceeded the MTU of the next hop. Ping can be used in this manner to detect a PMTU black hole router.

The following Network Monitor capture shows a sample PMTU-compliant ICMP Destination Unreachable-Fragmentation Needed and DF Set message:

+ FRAME: Base frame properties

+ ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol

+ IP: ID = 0x4401; Proto = ICMP; Len: 56

ICMP: Destination Unreachable: See frame 3

ICMP: Packet Type = Destination Unreachable

ICMP: Unreachable Code = Fragmentation Needed, DF Flag Set

ICMP: Checksum = 0xA05B

ICMP: Next Hop MTU = 576 (0x240)

ICMP: Data: Number of data bytes remaining = 28 (0x001C)

+ ICMP: Description of original IP frame

This message was generated by using ping -f -l 1000 on an Ethernet-based host to forward a 1028-byte datagram across a router interface that only supports an MTU of 576 bytes. When the router tried to place the large datagram onto the network with the smaller MTU, it found that fragmentation was not allowed. The router then discarded the IP datagram and sent back the ICMP message indicating that the largest datagram that could be forwarded was 0x240, or 576 bytes.

Use of ICMP to Diagnose Problems

The Ping tool is used to send ICMP Echo Requests to an IP address, and to wait for ICMP Echo Replies. Ping reports the number of responses received and the time interval between sending the request and receiving the response. There are many different options that can be used with the Ping tool. For more information about how Ping is used to troubleshoot, see "TCP/IP Troubleshooting" in this book.

Tracert is a route tracing tool that works by sending ICMP Echo Request messages to a specified IP address with increasing values of the Time To Live (TTL) field in the IP header. The first Echo Request message has a TTL of 1. The first router decreases the TTL to 0 and sends an ICMP Time Exceeded–TTL Expired in Transit message to the sender. From the Source IP Address field of the ICMP message, the sending host determines the IP address of the near-side router interface. Tracert then sends an ICMP Echo Request message with a TTL of 2, and so on. This process continues until the entire list of near-side router interfaces, from the sending host to the destination, is determined.

For more information about the Tracert command and how it is used to troubleshoot, see "TCP/IP Troubleshooting" in this book.

Flow Control Using ICMP

When a router becomes congested and begins to discard IP datagrams, it can send ICMP Source Quench messages to the sending host of the discarded datagrams. Windows 2000 TCP/IP honors an ICMP Source Quench message for TCP traffic provided that it contains the header fragment of one of its own datagrams from an active TCP connection. A Windows 2000–based router does not send ICMP Source Quench messages.

ICMP Router Discovery

As specified in RFC 1256, Windows 2000 TCP/IP provides host support for ICMP router discovery . Router discovery provides an improved method of detecting and configuring default gateways. Instead of configuring a default gateway manually or through DHCP, hosts can dynamically discover the best default gateway to use on their subnet and can automatically switch to another default gateway if the current default gateway fails or the network administrator changes router preferences.

When a host supporting router discovery initializes, it joins the all-hosts IP multicast group ( and listens for ICMP Router Advertisement messages. ICMP router discovery–compatible routers periodically send ICMP Router Advertisements containing their IP address, a preference level, and a time after which they can be considered down. Hosts receive the ICMP Router Advertisements and select the router with the highest preference level as their default gateway.

Hosts can also send ICMP Router Solicitation messages to the all-routers IP multicast address ( when an interface initializes or the host has not received a router advertisement from the router for the current default gateway within the router's advertised lifetime. Windows 2000 hosts send a maximum of three solicitations at intervals of approximately 600 milliseconds. The use of host router discovery is determined by the values of the PerformRouterDiscovery and SolicitationAddressBCast registry entries (HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\ InterfaceName ) .

The Windows 2000 Routing and Remote Access service supports ICMP router discovery as a router. For more information, see "Unicast IP Routing" in the Internetworking Guide.