How ICMP Works
The Internet Control Message Protocol (ICMP) is the diagnostic and error-reporting layer of the IP stack. Defined in RFC 792 for IPv4 and RFC 4443 for ICMPv6, ICMP messages travel inside IP packets but sit logically above IP — they report conditions about IP packet processing, not application data. Every network engineer's toolbox depends on ICMP: ping, traceroute, and Path MTU Discovery all rely on specific ICMP message types. Blocking ICMP indiscriminately, a common but misguided security practice, breaks several critical network functions.
Message Structure
Every ICMP message shares a common 4-byte header prefix, followed by type-specific fields and data:
| Field | Size | Purpose |
|---|---|---|
| Type | 1 byte | Message category (echo, dest unreachable, time exceeded, etc.) |
| Code | 1 byte | Sub-type within the message category |
| Checksum | 2 bytes | One's-complement checksum of the entire ICMP message |
| Rest of header | 4 bytes | Type-specific (Identifier + Sequence for echo; unused/pointer for others) |
| Data | variable | For error messages: first 8 bytes of the original offending IP header + payload |
The inclusion of the original packet's header and first 8 bytes of payload in error messages is critical — it lets the receiving host identify which socket/flow generated the packet that caused the error.
Key Message Types
Echo Request (Type 8) / Echo Reply (Type 0)
This is ping. The sender constructs an ICMP Echo Request with a 16-bit Identifier (typically the process ID) and a 16-bit Sequence Number. The receiver must send back an Echo Reply with the same Identifier and Sequence Number and the same payload. The round-trip time is measured between send and receive. The Identifier distinguishes pings from different processes sharing the same source IP; the Sequence Number detects out-of-order or duplicate replies.
Destination Unreachable (Type 3)
Generated when a packet cannot be delivered. The Code field specifies why:
| Code | Meaning | Generated by |
|---|---|---|
| 0 | Network Unreachable | Router: no route to destination network |
| 1 | Host Unreachable | Router: route exists but host not responding on local segment |
| 2 | Protocol Unreachable | Destination host: protocol number not handled |
| 3 | Port Unreachable | Destination host: no socket listening on that port |
| 4 | Fragmentation Needed and DF Set | Router: packet too large, DF bit prevents fragmentation — this is Path MTU Discovery |
| 13 | Communication Administratively Prohibited | Firewall: packet filtered by policy |
Code 4 (Fragmentation Needed) is particularly important: it tells the sender "I would have fragmented this packet but you set the DF (Don't Fragment) bit. The MTU on this link is X." This drives IPv4 Path MTU Discovery (PMTUD). Dropping this message causes PMTUD to fail, producing ICMP black holes — connections that appear to hang when large payloads are sent. See MTU and PMTUD for the full story.
Time Exceeded (Type 11)
This is the message that makes traceroute work. Every IP packet has a Time-to-Live (TTL) field, decremented by each router. When TTL reaches zero, the router discards the packet and sends an ICMP Time Exceeded (Code 0: TTL exceeded in transit) back to the source, including its own IP address as the source of the ICMP. Traceroute exploits this by sending probes with TTL=1, 2, 3... — each successive probe reaches one hop further before triggering a Time Exceeded, revealing the path hop by hop. See how traceroute works for the full mechanics.
Redirect (Type 5)
A router sends an ICMP Redirect to a host when it knows the host should use a different next-hop for a particular destination. For example, if a host sends traffic to Router A, but Router A knows Router B on the same subnet is a better next-hop, it forwards the packet and sends an ICMP Redirect to the host. Redirects can be exploited in man-in-the-middle attacks; many hosts disable processing them by default.
ICMPv6 — A Much Larger Role
In IPv6, ICMPv6 (RFC 4443) takes on substantially more responsibility than ICMP does in IPv4. The most significant extension is Neighbor Discovery Protocol (NDP), which replaces ARP entirely. NDP uses five ICMPv6 message types:
| Type | Name | Function |
|---|---|---|
| 133 | Router Solicitation | Host asks for router advertisement |
| 134 | Router Advertisement | Router announces prefix, MTU, default gateway |
| 135 | Neighbor Solicitation | Like ARP request — "who has this IPv6 address?" |
| 136 | Neighbor Advertisement | Like ARP reply — "I have that address, here's my MAC" |
| 137 | Redirect | Same concept as IPv4 ICMP Redirect |
NDP messages use link-local addresses and are protected by the Secure Neighbor Discovery (SEND) extension (RFC 3971) in security-conscious deployments. ICMPv6 Type 143 carries Multicast Listener Discovery (MLD) messages, the IPv6 equivalent of IGMP. ICMPv6 is also used for Path MTU Discovery, which is mandatory in IPv6 because IPv6 routers never fragment packets — a Packet Too Big (Type 2) message must reach the source or the connection dies.
Why Blocking All ICMP Is Wrong
Security teams sometimes configure firewalls to drop all ICMP, reasoning that ping is a reconnaissance tool. This reasoning is technically correct but overly broad, and the consequences are severe:
- PMTUD breaks — if ICMP Type 3 Code 4 (IPv4) or ICMPv6 Type 2 (Packet Too Big) is dropped by a firewall, the sender never learns that its packets are too large. Large TCP connections appear to work for small data transfers but hang on large payloads (like web pages with images). This is the classic "ICMP black hole" symptom.
- IPv6 stops working — blocking ICMPv6 disables NDP (no address resolution), SLAAC (no address assignment), and PMTUD (mandatory in IPv6). An IPv6 host on a network with blocked ICMPv6 effectively has no working connectivity.
- Traceroute fails — operational troubleshooting becomes significantly harder.
RFC 4890 provides detailed guidance on which ICMPv6 messages must not be filtered at network boundaries. The correct policy is to permit ICMP selectively: allow echo request/reply for diagnostics, allow PMTUD-related messages always, block types like Redirect that can be exploited, and rate-limit others.
ICMP Tunneling
Because ICMP echo is often permitted through firewalls, it can be used as a covert channel. Tools like ptunnel and icmptunnel carry TCP/IP traffic inside ICMP Echo Request/Reply packets, bypassing firewall rules that block other protocols. The traffic pattern is distinctive — unusually large or frequent ICMP echo packets with non-random payloads — and IDS/IPS systems flag it. Blocking ICMP echo at the perimeter is a valid security measure; the key is doing it without also blocking PMTUD messages, which have different type numbers.
ICMP Rate Limiting
Routers are typically configured to rate-limit ICMP error generation. Without rate limiting, a flood of packets triggering Destination Unreachable or Time Exceeded responses could exhaust the router's CPU. RFC 1812 recommends rate limiting, and most vendors implement token-bucket rate limiters for ICMP generation. The practical consequence: during a traceroute to a heavily loaded router, some TTL-exceeded responses may be dropped and appear as * * * in the output, even though the router itself is functioning normally and forwarding traffic correctly.
The distinction matters for interpretation: * * * in traceroute output can mean the router is filtering ICMP, is too busy to send ICMP responses, or the probes are simply being lost. It does not necessarily mean the router is down or unreachable to transit traffic.
ICMP and Anycast
Anycast addresses (the same IP address announced from multiple geographic locations) interact interestingly with ICMP. When you ping an anycast address like 1.1.1.1, the reply comes from whatever instance is closest to you by routing. Traceroute to an anycast address may show a short path because the nearest instance is geographically and topologically close. However, different traceroute probes may be answered by different instances if the routing is unstable or if you're near a BGP decision boundary, producing seemingly inconsistent path results.
ICMP in IPv4 vs IPv6: A Summary Comparison
| Function | ICMPv4 | ICMPv6 |
|---|---|---|
| Echo request/reply (ping) | Types 8/0 | Types 128/129 |
| Destination unreachable | Type 3 | Type 1 |
| Packet too big (PMTUD) | Type 3 Code 4 | Type 2 (dedicated) |
| TTL/Hop limit exceeded | Type 11 | Type 3 |
| Redirect | Type 5 | Type 137 |
| Address resolution (ARP) | Not ICMP | NDP Types 135/136 |
| Router discovery | Not ICMP (IRDP) | NDP Types 133/134 |
| Multicast group management | Not ICMP (IGMP) | MLD Types 130/131/132/143 |
| Checksum mandatory | Yes | Yes |
| Can filter safely | Some types | Very few — most are critical |
Practical Firewall Policy for ICMP
A rational ICMP firewall policy, consistent with RFC 4890 for IPv6:
- Always allow inbound and outbound: ICMP Fragmentation Needed (IPv4 Type 3 Code 4), ICMPv6 Packet Too Big (Type 2), ICMPv6 NDP types 133–137, ICMPv6 MLD types 130–132/143.
- Allow with rate limiting: Echo Request/Reply (ping) — useful for diagnostics and monitoring; Time Exceeded (traceroute).
- Consider blocking: ICMP Redirect (Type 5 / ICMPv6 Type 137) — can be exploited for traffic redirection; ICMP Timestamp (Type 13/14) — can leak system time.
- Never block wholesale: Dropping all ICMP to "improve security" is a misconfiguration that breaks PMTUD, IPv6, and operational visibility.
ICMPv6 Secure Neighbor Discovery (SEND)
NDP relies on ICMPv6 messages sent to link-local and multicast addresses. On an untrusted link (public WiFi, enterprise LAN with unknown devices), a malicious host can send spoofed Router Advertisements or Neighbor Advertisements to perform man-in-the-middle attacks — a technique called NDP spoofing. RFC 3971 defines Secure Neighbor Discovery (SEND) to address this, using cryptographically generated addresses (CGA, RFC 3972) and RSA signatures on NDP messages. SEND is complex to deploy and rarely used outside of highly security-sensitive environments. More practical alternatives include:
- RA Guard (RFC 6105) — switch-level filtering that drops Router Advertisements from non-designated router ports.
- DHCPv6 Guard — drops DHCPv6 server messages from non-authorized ports.
- IPv6 First Hop Security — a collection of switch features that bind IPv6 addresses to ports, preventing address spoofing on the local segment.
Explore It Live
ICMP is invisible in BGP routing tables, but the networks that carry ICMP traffic are very much visible. Traceroute to any destination traverses the ASes you can look up here:
- 8.8.8.8 — traceroute to Google DNS and observe the ASes each hop belongs to
- 1.1.1.1 — Cloudflare's anycast DNS; TTL-exceeded replies reveal the nearest PoP
- AS3356 — Lumen (Level 3), a major backbone that appears in many traceroutes
Use the BGP looking glass to map the ASN of each traceroute hop against its real-world network operator.