next up previous
Next: Handling ICMP information messages Up: No Title Previous: ``One of these protocols

Simplest proposal: do nothing

One simple answer to this problem is to ignore it: do not transmit ICMP messages at all through IPsec mediated virtual private networks. The purists would be unhappy, but would anyone notice?

One obvious stakeholder is network management people that would like to monitor branch office machines from a central location. The network management need for echo request/echo reply can be satisfied by the current system with either upper layer protocol agnostic tunnels, or with dedicated ICMP tunnels. One could also just use SNMP to determine uptime, however both ICMP and UDP based traceroute would no longer function.

In addition, if SG1/SG2 are providing an IP subnet to IP subnet tunnel (leased line emulation), which is by far the most common use of IPsec, then router R3 can easily indicate to E1 that E2 is down with ICMP unreachable messages, and E2 can quite clearly indicate that a given service is not available with an port unreachable message.

Router's R1 and R2 can not send any ICMP messages to E1, but that is a different problem, which will not be dealt with here. In the case of ICMP fragmentation needed, that is covered in detail in RFC2401.

So, the question is, under what circumstances does one need something better?

The answers is: whenever one is using more restrictive selectors than subnet/subnet. This applies to doing per-host SAs (because router R3 can not participate), and per-port SAs.

Per-port SAs are likely to be most common between end systems when no gateway's are involved.

What is the effect, in these cases, of simply forgetting about ICMP?

Again, the question is, what applications care the most about fail-overs, and would also use per-host or per-port SAs? The author suggests that any connection worth having failover machines for is also one which is of sufficient value that per-host or per-port SAs are warranted. That is, high value connections: online trading, airline reservations, etc.

At present, most high value transaction oriented exchanges use their own security systems (e.g. [TRADE], [SET]) but growing availability of IPsec on end systems may make it more desirable to use one system for all security needs.

next up previous
Next: Handling ICMP information messages Up: No Title Previous: ``One of these protocols
Michael C. Richardson