Re: WG last call for IPv4 AH and ESP

[Danny.Nessett@eng.sun.com (Dan Nessett)]

Ran,

Please excuse the intrusion into an already existing conversation, but since
I may have been the ultimate cause of Ashar's request about in-band signalling,
I feel somewhat responsible to explain.

I have been looking at the IPv6 security I-Ds and previous email on that list.
In particular, some discussion seems to suggest that there is a requirement
to protect ICMP messages, although it isn't clear which ICMP messages require
it. I spoke with Bill Simpson at the last IPv6 meeting in Palo Alto and 
he believes only end-to-end ICMP messages are candidates (for IPv6). Whether
this is true or not for IPv4 is unclear.

Others may believe that ICMP messages from intermediate routers also should
be protected. If that is true, then relying on pre-existing SAIDs isn't going
to scale. A source cannot possibly know the identity of all the intermediate
routers between itself and the destination of an IP packet. It is even less
likely that it will have a pre-existing SAID with that router. Consequently,
if ICMP messages from intermediate routers require protection and it is
a requirement that ICMP messages be processed in a timely manner, some way
must exist for the intermediate router to return keying material to the
source of the IP packet, material that can be used to establish an SAID
"on the fly." This is one reason why "in-band signalling" is important. There
are other reasons, but I think this one is enough to motivate the discussion.

Regards,

Dan

---

Follow-Ups:

• Re: WG last call for IPv4 AH and ESP
• From: Ran Atkinson <rja@bodhi.itd.nrl.navy.mil>

---

• Prev by Date: WG last call for IPv4 AH and ESP
• Next by Date: comments on Photuris
• Prev by thread: WG last call for IPv4 AH and ESP
• Next by thread: Re: WG last call for IPv4 AH and ESP
• Index(es):
  • Main
  • Thread