[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ICMP Security Failures

To: ho@cs.arizona.edu
Subject: Re: ICMP Security Failures
From: Phil Karn <karn@qualcomm.com>
Date: Sat, 23 Dec 1995 21:01:55 -0800 (PST)
Cc: rja@cisco.com, ipsec@ans.net
In-Reply-To: <199512230202.AA20824@interlock.ans.net> (message from Hilarie Orman on Fri, 22 Dec 1995 19:01:48 -0700)

>I've found it useful to describe the possible combinations in terms of
>a regular expression consisting of IP, AH, and ESP.

Seems to me that any combination of these protocols is possible, if
not necessarily useful. All three have 8-bit protocol fields in their
headers that refer to one of the Internet transport protocols,
including IP (4), AH (51) and ESP (50).

>Suppose a sequence of headers involves several different identities;
>may a host have a local policy rejecting some or all such combinations
>and still be conforming?

Local policies can reject anything they want. But the implementation
itself can't be the cause of the rejection, i.e., if the policy is to
permit something, the implementation should allow it.

>Also, must/should the ip-in-ip protocol be supported?

That's tunnel mode. Yes, it should be supported, though the requirements
for its use are always subject to local policy.

Phil

Follow-Ups:

Re: ICMP Security Failures

From: Hilarie Orman <ho@cs.arizona.edu>

References:

Re: ICMP Security Failures

From: Hilarie Orman <ho@cs.arizona.edu>

Prev by Date: Re: ESP over ESP was Re: ICMP Security Failures
Next by Date: Re: AH/ESP / Replay Protection
Prev by thread: Re: ICMP Security Failures
Next by thread: Re: ICMP Security Failures
Index(es):
- Main
- Thread