Re: ICMP Security Failures

[Hilarie Orman <ho@cs.arizona.edu>]

A few things occur to me.

>   This document specifies ICMP messages for indicating failures when
>   using IP Security Protocols (AH, ESP, and Photuris).
>
>
>   Pointer          Two octets.  An offset into the Original Internet
>                    Headers which locates most significant octet of the
>                    offending SPI.  Will be zero when no SPI is present.

Does this apply to Photuris as of draft 08?

> 2.1.  Bad SPI

>   Indicates when a received datagram includes a Security Parameters
>   Index (SPI) that is invalid or has expired.

"Indicates that a ... " ?  (and so on through the document)


> Note that in "transport-mode", the SPI indicated will be of the outer

I think I get it, but I'm not familiar with the term "transport-mode".

> Security Considerations
>
>   This mechanism is amenable to use of the Internet Security Protocols
>   for authentication and privacy.

Does this mean that the ICMP messages can be protected with AH and/or ESP?
I missed that interpretation on my first several readings.

>   ???

I don't think that any action should be taken on non-authenticated
messages, and even then, there's a distinct problem if the identities
associated with the SPI's aren't identical.  However, I might be missing
some startup scenario where the non-authenticated messages are the only
hint that will get Photuris unstuck or something.

I'd recommend saying that the identities inside and out must match.

Might also note that implementations are not required to send these
messages.

---

Follow-Ups:

• Re: ICMP Security Failures
• From: Phil Karn <karn@qualcomm.com>

---

• Prev by Date: Re: correction on SPIs
• Next by Date: Re: correction on SPIs
• Prev by thread: ICMP Security Failures
• Next by thread: Re: ICMP Security Failures
• Index(es):
  • Main
  • Thread