Skip to main content

ICMP and the Control-Plane vs Data-Plane Distinction

What This Concept Is

Networks have two kinds of traffic running on the same wires:

  • Data plane: user packets being forwarded toward their destination. Think HTTP, TCP, UDP application data. Per-packet decisions, made at line rate.
  • Control plane: the traffic that tells routers and hosts how to forward. Routing-protocol updates (OSPF, BGP), DHCP, ARP/NDP, ICMP diagnostics. Slower, state-building, not per-packet.

ICMP (Internet Control Message Protocol) is a control-plane protocol carried directly on top of IP (no transport layer). It is used for:

  • error reporting: "destination unreachable," "TTL exceeded," "fragmentation needed"
  • diagnostics: echo request and echo reply (what ping uses)
  • triggers for traceroute (by intentionally causing TTL-exceeded at each hop)

Because ICMP is not TCP or UDP, it has no ports. It is identified by IP protocol number 1 (or 58 for ICMPv6).

Why It Matters Here

Two reasons.

First, when the network misbehaves, ICMP is often the only clue. "Destination unreachable: administratively prohibited" tells you a firewall rejected the packet. "Fragmentation needed (DF set)" tells you an MTU mismatch. Knowing ICMP lets you read what the network is trying to tell you.

Second, the control/data split is a recurring design pattern across systems: databases separate query planners from executors, cloud platforms separate the API control plane from the workload data plane, and switches separate forwarding ASICs from the CPU running BGP. Learning it here makes it easier to recognize later.

Concrete Example

ping 93.184.215.14 sends:

IP (proto=1)  src=your_ip  dst=93.184.215.14
  ICMP Echo Request  id=0x1234  seq=1  data=...

The remote host replies with:

IP (proto=1)  src=93.184.215.14  dst=your_ip
  ICMP Echo Reply    id=0x1234  seq=1  data=...

traceroute abuses ICMP's TTL-exceeded message: it sends packets with TTL = 1, 2, 3, ..., and each router whose TTL decrements to zero sends back an ICMP TTL-exceeded, revealing itself.

Common Confusion / Misconception

"ICMP is a transport protocol." It is not. It sits at the same layer as transport but speaks for the network layer. It is not a replacement for TCP or UDP.

"Blocking ICMP is harmless security hygiene." Blocking all ICMP breaks path-MTU discovery and kills ping/traceroute diagnostics. Operators usually block specific ICMP types, not the whole protocol.

How To Use It

When a connection fails, check for ICMP signals:

  1. Is ping reaching the destination at all?
  2. Does traceroute show the path, and where does it stop?
  3. Do you see ICMP errors in tcpdump (icmp[icmptype] != icmp-echo)?
  4. Is this a control-plane problem (routing) or a data-plane problem (per-packet delivery)?

Check Yourself

  1. Why does ICMP not have ports?
  2. What does an "ICMP TTL exceeded" error tell you about the path?
  3. Name one control-plane protocol and one data-plane protocol you have already seen in this module.
  4. Why is blocking ICMP "fragmentation needed" specifically worse than blocking ICMP echo?
  5. How does traceroute infer which router each hop belongs to, given that it never explicitly asks?

Common ICMP Types You Will Actually See

TypeNameWhen it appears
0 / 8Echo reply / Echo requestping
3Destination Unreachable (with sub-codes: network, host, port, protocol, admin, frag-needed, ...)Firewall blocks, no route, closed UDP port
11Time Exceededtraceroute, routing loops
5RedirectRouter telling a host of a better next-hop

ICMPv6 renumbers these but has direct equivalents. ICMPv6 also absorbs ARP's job via Neighbor Discovery -- if you ever capture IPv6 traffic you will see Neighbor Solicitation and Neighbor Advertisement messages, both ICMPv6.

Mini Drill or Application

  1. Run ping -c 3 1.1.1.1. Record the round-trip times and the TTL values.
  2. Run traceroute 1.1.1.1 (or tracert on Windows). Count hops and note any * * * rows.
  3. Write one or two sentences explaining what each * means and which layer of the stack caused it.
  4. Try ping -M do -s 1500 1.1.1.1 (Linux) to force a packet larger than typical MTU with the "don't fragment" bit set. Describe the ICMP error you should expect if path MTU is smaller and what breaks when that error is filtered.

Read This Only If Stuck