Understanding IPv6 ALG Support for ICMP
The Internet Control Message Protocol (ICMP) Application Layer Gateway (ALG) is one of the ALG’s that handle ICMP traffic.
IPv6 nodes use the ICMPv6 protocol to report errors encountered in processing packets and to perform other Internet-layer functions such as diagnostics. ICMPv6 is an integral part of IPv6 and must be fully implemented by every IPv6 node; therefore the ALG layer is always enabled for ICMPv6.
ICMP Error Messages
ICMPv6 messages are grouped into two classes:
ICMPv6 error messages
Packet too big
ICMPv6 informational (or ping) messages
The ICMP ALG monitors all these messages, and then does the following :
Closes the session
Modifies the payload
The ICMP ALG closes a session if it meets the following conditions:
Receives echo reply message.
Receives a destination unreachable error message and has not received any replies yet.
The ICMP ALG checks if the session has received any replies from destination node. If it has received any reply , the destination should be reachable and the ICMP error message is not credible, therefore it does not close the session. This is to avoid hackers from sniffing the TCP/UDP packet and forging an ICMP destination unreachable packet to kill the session.
ICMP ALG Functionality
ICMP ALG behaves differently in various modes.
ICMP ALG functionality in NAT mode:
Close the session.
Modify the identifier, the sequence number or both of the echo request.
Resume the original identifier and sequence number for the echo reply.
NAT translates the embedded IPv6 packet for theICMPv6 error message.
ICMP ALG functionality in NAT-PT support mode:
Close the session.
Translate the ICMPv4 ping message to the ICMPv6 ping message.
Translate the ICMPv6 ping message to the ICMPv4 ping message.
Translate the ICMPv4 error message to the ICMPv6 error message and translate its embedded IPv4 packet to an IPv6 packet.
Translate the ICMPv6 error message to the ICMPv4 error message and translate its embedded IPv6 packet to an IPv4 packet .