next up previous
Next: Introduction

Michael C. Richardson
Sandelman Software Works Inc.


It tempting to explain the internet protocol suite (IP) in terms of the standard OSI reference networking model. The success rate is high, but the model does not completely cover all parts of IP. The addition of security features to IP in the form of IPsec used the simplified OSI view, and thus failed to adequately deal with the error handling, network diagnostic and other meta-protocol issues. The Internet Control Message Protocol (ICMP) is used to carry this information, but a compliant implementation of IPsec/IKE will currently drop many important ICMP messages.

The failure can be resolved when it is realized that ICMP is not always a protocol in the sense that TCP, UDP or AH is. Rather it can provide meta information about the network and in these forms, it is never seen alone on the network, but only in relation to other protocols. This relationship can be taken advantage of to properly protect and authenticate ICMP datagrams, but it does require modifications to the base IPsec specification.


Michael C. Richardson