Network Working Group Michael Richardson mcr@sandelman.ottawa.on.ca INTERNET-DRAFT Sandelman Software Works ipsec-icmp-handle-v4.txt v1.0, September 1998 Expires in six months IPv4 ICMP messages and IPsec security gateways Status of This memo This document is an Internet-Draft. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as ``work in progress.'' To learn the current status of any Internet-Draft, please check the ``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe), munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or ftp.isi.edu (US West Coast). Abstract This document enumerates the list of ICMP messages that a security gate- way may receive and provides an analysis of if and how a gateway should handle them. Three options types of behaviour are enumerated: discard, MAY be forwarded, and MUST be forwarded. Michael Richardson mcr@sandelman.ottawa.on.ca [page 1] INTERNET-DRAFT v1.0, September 1998 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.1. Definition of terminology . . . . . . . . . . . . . . . . . 4 2. Introduction to the problem . . . . . . . . . . . . . . . . . . 5 3. ICMP Messages HEADER-2 . . . . . . . . . . . . . . . . . . . . . 5 3.1.1. All types HEADER-4 . . . . . . . . . . . . . . . . . . . 5 3.1.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 5 3.1.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . . 5 3.2. Destination Unreachable . . . . . . . . . . . . . . . . . . 5 3.2.1. Host Unreachable . . . . . . . . . . . . . . . . . . . . 5 3.2.1.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 6 3.2.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 6 3.2.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . . 6 3.2.2. Comm. w/Dest. Host is Administratively Prohibited . . . 6 3.2.2.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 6 3.2.2.2. Black . . . . . . . . . . . . . . . . . . . . . . . 6 3.2.2.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . . 6 3.2.3. Destination Host Unreachable for Type of Service . . . . 6 3.2.3.2. Black . . . . . . . . . . . . . . . . . . . . . . . 6 3.2.3.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . . 6 3.2.4. Communication Administratively Prohibited . . . . . . . 6 3.2.4.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 6 3.2.4.2. Black . . . . . . . . . . . . . . . . . . . . . . . 7 3.2.4.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . . 7 3.2.5. Precedence cutoff in effect . . . . . . . . . . . . . . 7 3.2.5.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 7 3.2.5.2. Black . . . . . . . . . . . . . . . . . . . . . . . 7 3.2.5.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . . 7 3.3. RFC792 Source Quench . . . . . . . . . . . . . . . . . . . . 7 3.3.1. All types . . . . . . . . . . . . . . . . . . . . . . . 7 3.3.1.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 7 3.3.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 7 3.3.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . . 7 3.4. Redirect. . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.4.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 8 3.4.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . . 8 3.4.2. Redirect Datagram for the Type of Service and Host . . . 8 3.4.2.2. Black . . . . . . . . . . . . . . . . . . . . . . . 8 3.4.2.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . . 8 3.5. Alternate Host Address . . . . . . . . . . . . . . . . . . . 8 3.5.1.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 8 3.5.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 8 3.5.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . . 8 3.6. Echo Request . . . . . . . . . . . . . . . . . . . . . . . . 8 3.6.1.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 8 3.6.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 8 3.6.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . . 9 3.7. Time Exceeded . . . . . . . . . . . . . . . . . . . . . . . 9 3.7.1.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 9 3.7.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 9 3.7.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . . 9 3.8. Parameter Problem . . . . . . . . . . . . . . . . . . . . . 9 3.8.1.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 9 3.8.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 9 3.8.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . . 9 3.9. Timestamp. . . . . . . . . . . . . . . . . . . . . . . . . . 9 3.9.1. All type codes . . . . . . . . . . . . . . . . . . . . . 9 3.9.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 10 3.9.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . . 10 3.10. Timestamp Reply . . . . . . . . . . . . . . . . . . . . . . 10 3.10.1. All type codes . . . . . . . . . . . . . . . . . . . . 10 3.10.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 10 3.10.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . 10 3.11. Information Request . . . . . . . . . . . . . . . . . . . . 10 3.11.1. All type codes . . . . . . . . . . . . . . . . . . . . 10 3.11.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 10 3.11.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . 10 3.12. Information Reply . . . . . . . . . . . . . . . . . . . . . 10 3.12.1. All type codes . . . . . . . . . . . . . . . . . . . . 10 3.12.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 11 3.12.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . 11 3.13. Address Mask Request . . . . . . . . . . . . . . . . . . . 11 3.13.1.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 11 3.13.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 11 3.13.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . 11 3.14. Traceroute. . . . . . . . . . . . . . . . . . . . . . . . . 11 3.14.1.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 11 3.14.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 11 3.14.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . 11 3.15. Datagram Conversion Error . . . . . . . . . . . . . . . . . 11 3.15.1.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 11 3.15.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 12 3.15.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . 12 3.16. Mobile Host Redirect . . . . . . . . . . . . . . . . . . . 12 3.16.1.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 12 3.16.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 12 3.16.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . 12 3.17. IPv6 Where-Are-You . . . . . . . . . . . . . . . . . . . . 12 3.17.1.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 12 3.17.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 12 3.17.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . 12 3.18. IPv6 I-Am-Here . . . . . . . . . . . . . . . . . . . . . . 12 3.18.1.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 12 3.18.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 13 3.18.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . 13 3.19. Mobile Registration Request . . . . . . . . . . . . . . . . 13 3.19.1.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 13 3.19.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 13 3.19.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . 13 3.20. Mobile Registration Reply . . . . . . . . . . . . . . . . . 13 3.20.1.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 13 3.20.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 13 3.20.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . 13 3.21. Domain Name Request . . . . . . . . . . . . . . . . . . . . 13 3.21.1.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 13 3.21.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 14 3.21.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . 14 3.22. Domain Name Reply . . . . . . . . . . . . . . . . . . . . . 14 3.22.1.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 14 3.22.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 14 3.22.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . 14 3.23. SKIP . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 3.23.1.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 14 3.23.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 14 3.23.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . 14 3.24. Photoris . . . . . . . . . . . . . . . . . . . . . . . . . 14 3.24.1. All type codes . . . . . . . . . . . . . . . . . . . . 14 3.24.1.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 15 3.24.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 15 3.24.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . 15 4. Security Considerations: . . . . . . . . . . . . . . . . . . . . 15 5. References: . . . . . . . . . . . . . . . . . . . . . . . . . . 15 5.1. Author's Address . . . . . . . . . . . . . . . . . . . . . . 16 5.2. Expiration and File Name . . . . . . . . . . . . . . . . . . 16 --toc-- --toc-- --toc-- --toc-- --toc-- --toc-- --toc-- --toc-- --toc-- --toc-- --toc-- --toc-- 1. Introduction 1.1. Definition of terminology Here is a network of two security gateways, a client node and a server node. E1---{G1}--{R1}--{G2}--{R2}--E2 E1 and E2 are end nodes using TCP or UDP. G1/G1 are security gateways. Rx are routers. There are both application endpoints and security association endpoints, they will be distinguished with the following terms: E1 is the transport layer originator. TLO E2 is the transport layer target. TLT E1/G1 is a network layer originator/target pair. NLO/NLT/ G1/G2 is a network layer originator/target pair. G2/E2 is a network layer originator/target pair. In addition, it is necessary to distinguish three interfaces of the security gateways at which a forwarding decision may need to be made: Michael Richardson mcr@sandelman.ottawa.on.ca [page 4] INTERNET-DRAFT v1.0, September 1998 red interface is the interface that is exposed to the Internet black interface is the interface that is connected only to the internal network tunnel interface is the logical interface that results from a packet traversing an encrypted/authenticated tunnel and then decrypted. In general AH/ESP packets arrive on the red interface, are authenticated/decrypted (i.e. decapulated). The inner packet, once decapsulated can logically be thought to have arrived on a third interface for the purposes of forwarding policy. 2. Introduction to the problem The Internet Control Message Protocol (ICMP) is a protocol carried by IP networks that is unlike traditional protocols like TCP, UDP. ICMP deals with meta information about the network. As such, ICMP messages are really an integral part of a TCP/UDP flow and should get a similar treatment by security gateways as the TCP/UDP flows themselves. The fundamental question discussed in ICMPIPSEC is which packets may be forwarded from each of the three defined interfaces, and what kind of treatment they receive after forwarding (i.e. if an SA is applied, which SA) 3. ICMP Messages HEADER-2 3.1. Echo Reply Type 0, defined in RFC-0792. 3.1.1. All types HEADER-4 3.1.1.1. Red Discard. 3.1.1.2. Black Discard. 3.1.1.3. Tunnel Discard. 3.2. Destination Unreachable Type 3, defined in RFC-0792. 3.2.1. Host Unreachable Michael Richardson mcr@sandelman.ottawa.on.ca [page 5] INTERNET-DRAFT v1.0, September 1998 Code 1. 3.2.1.1. Red Discard. 3.2.1.2. Black Discard. 3.2.1.3. Tunnel Discard. 3.2.2. Comm. w/Dest. Host is Administratively Prohibited Code 10. 3.2.2.1. Red Discard. 3.2.2.2. Black Discard. 3.2.2.3. Tunnel Discard. 3.2.3. Destination Host Unreachable for Type of Service Code 12 HEADER-4 3.2.3.1. Red Discard. 3.2.3.2. Black Discard. 3.2.3.3. Tunnel Discard. 3.2.4. Communication Administratively Prohibited Code 13. From RFC1812 3.2.4.1. Red Discard. Michael Richardson mcr@sandelman.ottawa.on.ca [page 6] INTERNET-DRAFT v1.0, September 1998 3.2.4.2. Black Discard. 3.2.4.3. Tunnel Discard. 3.2.5. Precedence cutoff in effect Code 15. From RFC1812 3.2.5.1. Red Discard. 3.2.5.2. Black Discard. 3.2.5.3. Tunnel Discard. 3.3. RFC792 Source Quench Type 4. From RFC792 3.3.1. All types 3.3.1.1. Red Discard. 3.3.1.2. Black Discard. 3.3.1.3. Tunnel Discard. 3.4. Redirect. Type 5. From RFC792. HEADER-3 3.4.1. Redirect Datagram for the Host Code 1. RFC792 HEADER-4 3.4.1.1. Red Discard. Michael Richardson mcr@sandelman.ottawa.on.ca [page 7] INTERNET-DRAFT v1.0, September 1998 3.4.1.2. Black Discard. 3.4.1.3. Tunnel Discard. 3.4.2. Redirect Datagram for the Type of Service and Host Code 3. RFC792 HEADER-4 3.4.2.1. Red Discard. 3.4.2.2. Black Discard. 3.4.2.3. Tunnel Discard. 3.5. Alternate Host Address Type 5. HEADER-3 3.5.1. All types 3.5.1.1. Red Discard. 3.5.1.2. Black Discard. 3.5.1.3. Tunnel Discard. 3.6. Echo Request Type 8. HEADER-3 3.6.1. All type codes 3.6.1.1. Red Discard. Michael Richardson mcr@sandelman.ottawa.on.ca [page 8] INTERNET-DRAFT v1.0, September 1998 3.6.1.2. Black Discard. 3.6.1.3. Tunnel Discard. 3.7. Time Exceeded Type 11. HEADER-3 3.7.1. All type codes 3.7.1.1. Red Discard. 3.7.1.2. Black Discard. 3.7.1.3. Tunnel Discard. 3.8. Parameter Problem Type 12. RFC792, RFC1108. HEADER-3 3.8.1. All type codes 3.8.1.1. Red Discard. 3.8.1.2. Black Discard. 3.8.1.3. Tunnel Discard. 3.9. Timestamp. 3.9.1. All type codes Type 13. RFC792. HEADER-4 3.9.1.1. Red Discard. Michael Richardson mcr@sandelman.ottawa.on.ca [page 9] INTERNET-DRAFT v1.0, September 1998 3.9.1.2. Black Discard. 3.9.1.3. Tunnel Discard. 3.10. Timestamp Reply 3.10.1. All type codes Type 14. RFC792 HEADER-4 3.10.1.1. Red Discard. 3.10.1.2. Black Discard. 3.10.1.3. Tunnel Discard. 3.11. Information Request 3.11.1. All type codes Type 15. RFC792 HEADER-4 3.11.1.1. Red Discard. 3.11.1.2. Black Discard. 3.11.1.3. Tunnel Discard. 3.12. Information Reply 3.12.1. All type codes Type 16. RFC792 HEADER-4 3.12.1.1. Red Discard. Michael Richardson mcr@sandelman.ottawa.on.ca [page 10] INTERNET-DRAFT v1.0, September 1998 3.12.1.2. Black Discard. 3.12.1.3. Tunnel Discard. 3.13. Address Mask Request Type 17. See RFC950 HEADER-3 3.13.1. All type codes 3.13.1.1. Red Discard. 3.13.1.2. Black Discard. 3.13.1.3. Tunnel Discard. 3.14. Traceroute. Type 30. See RFC1393 HEADER-3 3.14.1. All type codes 3.14.1.1. Red Discard. 3.14.1.2. Black Discard. 3.14.1.3. Tunnel Discard. 3.15. Datagram Conversion Error Type 31. See RFC1475 HEADER-3 3.15.1. All type codes 3.15.1.1. Red Discard. Michael Richardson mcr@sandelman.ottawa.on.ca [page 11] INTERNET-DRAFT v1.0, September 1998 3.15.1.2. Black Discard. 3.15.1.3. Tunnel Discard. 3.16. Mobile Host Redirect Type 32. See Johnson HEADER-3 3.16.1. All type codes 3.16.1.1. Red Discard. 3.16.1.2. Black Discard. 3.16.1.3. Tunnel Discard. 3.17. IPv6 Where-Are-You Type 33. Simpson HEADER-3 3.17.1. All type codes 3.17.1.1. Red Discard. 3.17.1.2. Black Discard. 3.17.1.3. Tunnel Discard. 3.18. IPv6 I-Am-Here Type 34. Simpson HEADER-3 3.18.1. All type codes 3.18.1.1. Red Discard. Michael Richardson mcr@sandelman.ottawa.on.ca [page 12] INTERNET-DRAFT v1.0, September 1998 3.18.1.2. Black Discard. 3.18.1.3. Tunnel Discard. 3.19. Mobile Registration Request Type 35. Simpson HEADER-3 3.19.1. All type codes 3.19.1.1. Red Discard. 3.19.1.2. Black Discard. 3.19.1.3. Tunnel Discard. 3.20. Mobile Registration Reply Type 36. Simpson HEADER-3 3.20.1. All type codes 3.20.1.1. Red Discard. 3.20.1.2. Black Discard. 3.20.1.3. Tunnel Discard. 3.21. Domain Name Request Type 37. Simpson HEADER-3 3.21.1. All type codes 3.21.1.1. Red Discard. Michael Richardson mcr@sandelman.ottawa.on.ca [page 13] INTERNET-DRAFT v1.0, September 1998 3.21.1.2. Black Discard. 3.21.1.3. Tunnel Discard. 3.22. Domain Name Reply Type 38. Simpson HEADER-3 3.22.1. All type codes 3.22.1.1. Red Discard. 3.22.1.2. Black Discard. 3.22.1.3. Tunnel Discard. 3.23. SKIP Type 39. See Markson HEADER-3 3.23.1. All type codes 3.23.1.1. Red Discard. 3.23.1.2. Black Discard. 3.23.1.3. Tunnel Discard. 3.24. Photoris Type 40. See Simpson Michael Richardson mcr@sandelman.ottawa.on.ca [page 14] INTERNET-DRAFT v1.0, September 1998 3.24.1. All type codes 3.24.1.1. Red Discard. 3.24.1.2. Black Discard. 3.24.1.3. Tunnel Discard. 4. Security Considerations: This entire document discusses a security protocol. 5. References: RFC1825 R. Atkinson, "Security Architecture for the Internet Protocol", RFC-1825, August 1995. ICMPIPSEC M. Richardson, "Options for handling ICMP messages that must be forwarded" work in progress: draft-ietf-ipsec-icmp-options-00.txt, September 1998 ICMPIPSECV4 M. Richardson, "IPv4 ICMP messages and IPsec security gateways" work in progress: draft-ietf-ipsec-icmp-handle-v4.txt, September 1998 ICMPIPSECV6 M. Richardson, "IPv6 ICMP messages and IPsec security gateways" work in progress: draft-ietf-ipsec-icmp-handle-v6-00.txt, September 1998 ARCHSEC R. Atkinson, S. Kent, "Security Architecture for the Internet Protocol", work in progress: draft-ietf-ipsec-arch-sec-07.txt, July 1998 RFC-1191 J. Mogul, S. Deering, "Path MTU Discovery", RFC-1191, November 1990. KSM-AH New AH draft. metrics I. M. ISP, "How fast can it go?", draft-ietf-metrics-00.txt, work Michael Richardson mcr@sandelman.ottawa.on.ca [page 15] INTERNET-DRAFT v1.0, September 1998 in progress: Jan. 20, 1997 Gupta97-1 V. Gupta, S. Glass, "Firewall Traversal for Mobile IP: Goals and Requirements", draft-ietf-mobileip-ft-req-00.txt, work in progress: Jan. 20, 1997 Gupta97-2 V. Gupta, S. Glass, "Firewall Traversal for Mobile IP: Guidelines for Firewalls and Mobile IP entities", draft-ietf-mobileip- firewall-trav-00.txt, work in progress: March 17, 1997 RFC1256 S. Deering, "ICMP Router Discovery Messages." Sep-01-1991. RFC1885 A. Conta, S. Deering, "Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6)." December 1995. RFC791 J. Postel, "Internet Protocol." Sep-01-1981. RFC792 J. Postel, "Internet Control Message Protocol.", Sep-01-1981. RFC950 J.C. Mogul, J. Postel, "Internet Standard Subnetting Procedure." Aug-01-1985. 5.1. Author's Address Michael C. Richardson Solidum Systems Corporation 940 Belfast Road Ottawa, ON K1G 4A2 Canada Telephone: +1 613 244-4804 EMail: mcr@sandelman.ottawa.on.ca 5.2. Expiration and File Name This draft expires February 1999 Its file name is draft-ipsec-icmp-handle-v4-00.txt Michael Richardson mcr@sandelman.ottawa.on.ca [page 16]