next up previous
Up: No Title Previous: Extensions to IKE


ICMP is a very useful part of the IP protocol suite. It is often neglected as it is frequently considered to be just another protocol that runs on top of IP. The truth is that this depiction only applies to ICMP information messages, not to ICMP error messages, which are best considered to be part of the flow which caused the error.

ICMP can be treated properly with the three extensions proposed: IPsec selectors for ICMP code/type, definition of port field for ICMP type in Identity payload, and creation of a new per-host/per-port identity payload type which implicitly includes ICMP error messages.

An IKE system that permitted multiple selectors to be negotiated per SA would obsolete all of this, but may be more general than is otherwise warranted.

ICMP and systems of reporting of error conditions in networks must receive more attention from security experts in future protocol designs.

Michael C. Richardson