[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: fast re-keying

To: bound@zk3.dec.com
Subject: Re: fast re-keying
From: Phil Karn <karn@unix.ka9q.ampr.org>
Date: Tue, 16 May 1995 00:04:02 -0700
Cc: hugo@watson.ibm.com, IPSEC@ans.net
In-Reply-To: <9504060255.AA29605@xirtlu.zk3.dec.com> (bound@zk3.dec.com)

>Can we have a well known port to send the ICMP Unreachable to regardless
>of the key management used?  Or will they all use different ports do you
>think?

In IP4 (don't know IPv6), ICMP Unreachables don't have "port"
numbers. ICMP messages do include the IP header of the offending
packet, plus 8 bytes of the transport header. This is sufficient in
ESP for the original sender to identify the security association in
question and to take appropriate action, such as possibly clearing
the security association and creating a new one.

The denial-of-service opportunities are apparent here, so this needs
some more thought. Yet we need a way to clear out half-open security
associations to recover from system crashes.

Phil

Prev by Date: Re: compression, privacy, and authenticity transforms
Next by Date: Re: compression, privacy, and authenticity transforms
Prev by thread: I-D ACTION:draft-ietf-ipsec-arch-02.txt
Next by thread: Stockholm Agenda
Index(es):
- Main
- Thread