Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Understanding IPv6 ALG Support for ICMP

The Internet Control Message Protocol (ICMP) Application Layer Gateway (ALG) is one of the ALG’s that handle ICMP traffic.

IPv6 nodes use the ICMPv6 protocol to report errors encountered in processing packets and to perform other Internet-layer functions such as diagnostics. ICMPv6 is an integral part of IPv6 and must be fully implemented by every IPv6 node; therefore the ALG layer is always enabled for ICMPv6.

ICMP Error Messages

ICMPv6 messages are grouped into two classes:

  • ICMPv6 error messages

    • Destination unreachable

    • Packet too big

    • Time exceeded

    • Parameter problem

  • ICMPv6 informational (or ping) messages

    • Echo request

    • Echo reply

The ICMP ALG monitors all these messages, and then does the following :

  • Closes the session

  • Modifies the payload

The ICMP ALG closes a session if it meets the following conditions:

  • Receives echo reply message.

  • Receives a destination unreachable error message and has not received any replies yet.


    The ICMP ALG checks if the session has received any replies from destination node. If it has received any reply , the destination should be reachable and the ICMP error message is not credible, therefore it does not close the session. This is to avoid hackers from sniffing the TCP/UDP packet and forging an ICMP destination unreachable packet to kill the session.

ICMP ALG Functionality

ICMP ALG behaves differently in various modes.

ICMP ALG functionality in NAT mode:

  1. Close the session.

  2. Modify the identifier, the sequence number or both of the echo request.

  3. Resume the original identifier and sequence number for the echo reply.

  4. NAT translates the embedded IPv6 packet for theICMPv6 error message.

ICMP ALG functionality in NAT-PT support mode:

  1. Close the session.

  2. Translate the ICMPv4 ping message to the ICMPv6 ping message.

  3. Translate the ICMPv6 ping message to the ICMPv4 ping message.

  4. Translate the ICMPv4 error message to the ICMPv6 error message and translate its embedded IPv4 packet to an IPv6 packet.

  5. Translate the ICMPv6 error message to the ICMPv4 error message and translate its embedded IPv6 packet to an IPv4 packet .