[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ICMP messages
> From: naganand@ftp.com (Naganand Doraswamy)
> Suppose say I want all packets going from host A to host B
> encrypted/authenticated and an error occurs. The ICMP packet that I send
> back will also be encrypted or authenticated and hence one will not be able
> to understand the ICMP messages as either an SPI is incorrect or the keys
> are incorrect.
>
True, but then any ICMP error message may also be dropped enroute, and
therefore you cannot depend on the error message transmission.
> Now, do we say that ICMP messages are not encrypted?
I do not believe that a general blanket statement can be made, except
that ICMP messages dealing with security failures cannot be encrypted.
Keep in mind this is also a problem with authentication, when the key is
lost. So, the security failure messages cannot be authenticated either.
This is one of the reasons why the Security Failures is a separate ICMP
message set.
> In that case we cannot
> say that all packets going from host A to host B are to be encrypted?
>
Certainly not! As usual, a more sophisticated model is needed.
Bill.Simpson@um.cc.umich.edu
Key fingerprint = 2E 07 23 03 C5 62 70 D3 59 B1 4F 5E 1D C2 C1 A2