Michael C. Richardson
Sandelman Software Works Inc.
mcr@sandelman.ottawa.on.ca
The failure can be resolved when it is realized that ICMP is not always a protocol in the sense that TCP, UDP or AH is. Rather it can provide meta information about the network and in these forms, it is never seen alone on the network, but only in relation to other protocols. This relationship can be taken advantage of to properly protect and authenticate ICMP datagrams, but it does require modifications to the base IPsec specification.