IPv6 and the importance of the ICMPv6 – Packet Too Big message

Been reading a lot about IPv6, is it or isn’t it, will it be or will it not be, when it will be and just get ready for it…

So here I go, this is by no means an in-depth look into IPv6 or ICMPv6 and I have a lot more to learn but this is my start and maybe it will help somebody else get started also.

Studying for my CCIE R&S written again, my 2 lab attempts have not gone so well, and came across a question with the answer being “Packet Too Big message” is sent back to the source that packets need to be smaller.

This “Packet Too Big message” is part of the Path MTU Discovery mechanism and is vital to IPv6 sending packets now that fragmentation happens at the IPv6 host and not done by the router.

“As in IPv4, path MTU discovery in IPv6 allows a host to dynamically discover and adjust to differences in the MTU size of every link along a given data path. In IPv6, however, fragmentation is handled by the source of a packet when the path MTU of one link along a given data path is not large enough to accommodate the size of the packets. Having IPv6 hosts handle packet fragmentation saves IPv6 router processing resources and helps IPv6 networks run more efficiently.” (Quote is from and more information about PMTUD at: http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-addrg_bsc_con_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1282252)

So the journey begins to see this packet in wireshark…

Easy setup, I think this lab (configs at the end of the post) will show me what I want to see, with a little help from an ipv6 access-list and ipv6 traffic-filter on R1, R1 <-> R2 <-> R3, and set the ‘R2(config-if)# ipv6 mtu 1280’ on the interface between R2 <-> R3 and start a ping on R1 destined for R3 with size set to 1510 for good measure ‘R1#ping 2323:2222::3 size 1510’

R1#ping 2323:2222::3 size 1510

Type escape sequence to abort.

Sending 5, 1510-byte ICMP Echos to 2323:2222::3, timeout is 2 seconds:

…..

Success rate is 0 percent (0/5)

R1#sh ipv6 access-list

IPv6 access list ICMP_DENY

deny icmp any any packet-too-big (9 matches) sequence 10

permit icmp any any (10 matches) sequence 20

permit ipv6 any any sequence 30

Been reading a lot about IPv6, is it or isn’t it, will it be or will it not be, when it will be and just get ready for it…

So here I go, this is by no means an in-depth look into IPv6 or ICMPv6 and I have a lot more to learn but this is my start and maybe it will help somebody else get started also.

Studying for my CCIE R&S written again, my 2 lab attempts have not gone so well, and came across a question with the answer being “Packet Too Big message” is sent back to the source that packets need to be smaller.

This “Packet Too Big message” is part of the Path MTU Discovery mechanism and is vital to IPv6 sending packets now that fragmentation happens at the IPv6 host and not done by the router.

“As in IPv4, path MTU discovery in IPv6 allows a host to dynamically discover and adjust to differences in the MTU size of every link along a given data path. In IPv6, however, fragmentation is handled by the source of a packet when the path MTU of one link along a given data path is not large enough to accommodate the size of the packets. Having IPv6 hosts handle packet fragmentation saves IPv6 router processing resources and helps IPv6 networks run more efficiently.” (Quote is from and more information about PMTUD at: http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-addrg_bsc_con_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1282252)

So the journey begins to see this packet in wireshark…

Easy setup, I think this lab (configs at the end of the post) will show me what I want to see, with a little help from an ipv6 access-list and ipv6 traffic-filter on R1, R1 <-> R2 <-> R3, and set the ‘R2(config-if)# ipv6 mtu 1280’ on the interface between R2 <-> R3 and start a ping on R1 destined for R3 with size set to 1510 for good measure ‘R1#ping 2323:2222::3 size 1510’

R1#ping 2323:2222::3 size 1510

Type escape sequence to abort.

Sending 5, 1510-byte ICMP Echos to 2323:2222::3, timeout is 2 seconds:

…..

Success rate is 0 percent (0/5)

R1#sh ipv6 access-list

IPv6 access list ICMP_DENY

deny icmp any any packet-too-big (9 matches) sequence 10

permit icmp any any (10 matches) sequence 20

permit ipv6 any any sequence 30

Great so now we see we have to let those ICMP ‘packet-too-big’ messages flow or we are not going to get any traffic across are new and better than sliced bread IPv6 network…

Let’s change up that ipv6 access-list and let them through and see the difference:

R1#ping 2323:2222::3 size 1510

Type escape sequence to abort.

Sending 5, 1510-byte ICMP Echos to 2323:2222::3, timeout is 2 seconds:

B.!!!

Success rate is 60 percent (3/5), round-trip min/avg/max = 28/46/64 ms

R1#sh ipv6 access-list

IPv6 access list ICMP_DENY

permit icmp any any packet-too-big (5 matches) sequence 10

permit icmp any any (14 matches) sequence 20

permit ipv6 any any sequence 30

Bonus we even got a new character in the ping output that is new to me the letter ‘B’, assume that stands for packet-too-big and take a look at the wire shark now:

Run it again for and see what is on the wireshark:
R1#ping 2323:2222::3 size 1510
Type escape sequence to abort.
Sending 5, 1510-byte ICMP Echos to 2323:2222::3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/46/96 ms

No ‘packet-too-big’ packet anymore because R1 knows that the mtu is only 1280 via the first ‘packet-too-big’ message.
And on a final note, if the ‘packet-too-big’ messages are blocked this would still allow smaller packets to go through just fine while your larger packets would not make it, I can see this being a troubleshooting nightmare if IPv6 and ICMPv6 is not understood.
Back to denying the ‘packet-too-big’ messages:
R1#sh ipv6 access-list
IPv6 access list ICMP_DENY
deny icmp any any packet-too-big (10 matches) sequence 10
permit icmp any any (28 matches) sequence 20
permit ipv6 any any sequence 30

R1#ping 2323:2222::3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2323:2222::3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/44/120 ms
R1#ping 2323:2222::3 size 1500
Type escape sequence to abort.
Sending 5, 1500-byte ICMP Echos to 2323:2222::3, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)
R1#ping 2323:2222::3 size 1200
Type escape sequence to abort.
Sending 5, 1200-byte ICMP Echos to 2323:2222::3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/34/84 ms
R1#ping 2323:2222::3 size 1280
Type escape sequence to abort.
Sending 5, 1280-byte ICMP Echos to 2323:2222::3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/32/64 ms
R1#ping 2323:2222::3 size 1281
Type escape sequence to abort.
Sending 5, 1281-byte ICMP Echos to 2323:2222::3, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)

LAB ROUTER CONFIGURATIONS:
hostname R1
!
ipv6 unicast-routing
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
ipv6 address 1212:2222::1/64
ipv6 traffic-filter ICMP_DENY in
!
ipv6 route ::/0 1212:2222::2
!
ipv6 access-list ICMP_DENY
deny icmp any any packet-too-big
permit icmp any any
permit ipv6 any any

hostname R2
!
ipv6 unicast-routing
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
ipv6 address 1212:2222::2/64
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
ipv6 address 2323:2222::2/64
ipv6 mtu 1280

hostname R3
!
ipv6 unicast-routing
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
ipv6 address 2323:2222::3/64
!
ipv6 route ::/0 2323:2222::2

Advertisements