[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ICMP messages

To: ipsec@ans.net
Subject: Re: ICMP messages
From: "William Allen Simpson" <bsimpson@morningstar.com>
Date: Tue, 13 Feb 96 22:32:52 GMT
Reply-To: ipsec@ans.net
Sender: ipsec-owner@ans.net

> From: naganand@ftp.com (Naganand Doraswamy)
> Suppose say I want all packets going from host A to host B
> encrypted/authenticated and an error occurs. The ICMP packet that I send
> back will also be encrypted or authenticated and hence one will not be able
> to understand the ICMP messages as either an SPI is incorrect or the keys
> are incorrect.
>
True, but then any ICMP error message may also be dropped enroute, and
therefore you cannot depend on the error message transmission.


> Now, do we say that ICMP messages are not encrypted?

I do not believe that a general blanket statement can be made, except
that ICMP messages dealing with security failures cannot be encrypted.

Keep in mind this is also a problem with authentication, when the key is
lost.  So, the security failure messages cannot be authenticated either.

This is one of the reasons why the Security Failures is a separate ICMP
message set.


> In that case we cannot
> say that all packets going from host A to host B are to be encrypted?
>
Certainly not!  As usual, a more sophisticated model is needed.

Bill.Simpson@um.cc.umich.edu
          Key fingerprint =  2E 07 23 03 C5 62 70 D3  59 B1 4F 5E 1D C2 C1 A2

Prev by Date: Re: ADMIN: Straw Poll Results on Key Mgmt
Next by Date: Re: ICMP messages
Prev by thread: Re: ICMP messages
Next by thread: Re: ICMP messages
Index(es):
- Main
- Thread