- Time Exceeded (Type 3) - Code 0
- Parameter Problem (Type 4) - Code 0
Time Exceeded messages with Code 0 are essentially the same thing as IPv4. When a IPv6 packet hits a router with a hop limit equal to 1, the router should discard the packet and send the time exceeded message back to the sender. The data portion of the ICMPv6 message should contain as much of the offending packet as possible.
The chart above illustrates this concept. We see that it is an ICMPv6 Time Exceeded packet. If you look under the 'IPv6 in ICMPv6' heading you see the Hop Limit (hlim) equaled 1 on the offending packet which caused this Time Exceeded message to be generated.
Basically, firewall administrators have two choices when receiving packets with a Hop Limit of 1. The firewall can return an ICMPv6 Time Exceeded packet or it simply discard it. Returning a Time Exceeded packet can help in attacker reconnaissance. In IPv4, the tool Firewalk made popular a technique of determining a firewall's filter rule set through the use of Time Exceeded packets. Basically, the tool calculated the hop distance to the firewall it was testing then sent packets to it with a TTL of 1 . Each packet had a different port that Firewalk wanted to test for openings on. If no packet was returned then it was likely the port was filtered. If a Time Exceeded packet was returned it was likely the port was open. Therefore, the administrator has the common trade off between security and operations. While allowing Time Exceeded messages could be useful for finding routing loops they could also provide an attacker with useful information.
The second type of message that "Normally Should Not Be Dropped" is the Parameter Problem Type with Code 0. Code 0 signifies that an erroneous header field was encountered. Here we again have the trade off between security and operations. It could be useful for debugging an application if the this type of packet was returned. However, it can give an attacker some information about the target.
