[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ICMP messages

To: ipsec@ans.net
Subject: Re: ICMP messages
From: smb@research.att.com
Date: Tue, 13 Feb 96 18:54:13 EST
Reply-To: ipsec@ans.net
Sender: ipsec-owner@ans.net

	 From: Bill.Simpson@um.cc.umich.edu

	 > From: smb@research.att.com
	 > Worse yet, if an intermediate route generates the ICMP bounce, there
	 > won't be enough information in the returned portion of the header to
	 > tie it to a particular socket.
	 >
	 Only if you are using the same Destination+SPI for more than one
	 socket.

	 In general, this is not a problem for VPNs or mobility, since the
	 tunnel is between hosts.  It is only a problem for user-user keys,
	 and then only for those not using automated key management to
	 coordinate the SP Is.

I beg your pardon?  First you say ``only if you are using the same
Destination+SPI for more than one socket.'', which is the case for
host-host keys.  Then you say ``only a problem for user-user keys'', in
which case you're less likely to have multiple sockets per SPI.  (Though
it's not impossible, of course.)

Scenarios I have in mind are things like ``destination unreachable'', from
an intermediate router.  With a VPN, there will be a lot of sockets
sharing the same SPI for the firewall-to-firewall key.  This is true
whether key management is manual or automated.

I confess that I'm surprised by your response, since I seem to remember
talking about this with you, and you agreeing that this was a problem.

Prev by Date: Re: ICMP messages
Next by Date: Re: ADMIN: Straw Poll Results on Key Mgmt
Prev by thread: Re: ICMP messages
Next by thread: Re: ICMP messages
Index(es):
- Main
- Thread