[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ICMP messages
From: Bill.Simpson@um.cc.umich.edu
> From: smb@research.att.com
> Worse yet, if an intermediate route generates the ICMP bounce, there
> won't be enough information in the returned portion of the header to
> tie it to a particular socket.
>
Only if you are using the same Destination+SPI for more than one
socket.
In general, this is not a problem for VPNs or mobility, since the
tunnel is between hosts. It is only a problem for user-user keys,
and then only for those not using automated key management to
coordinate the SP Is.
I beg your pardon? First you say ``only if you are using the same
Destination+SPI for more than one socket.'', which is the case for
host-host keys. Then you say ``only a problem for user-user keys'', in
which case you're less likely to have multiple sockets per SPI. (Though
it's not impossible, of course.)
Scenarios I have in mind are things like ``destination unreachable'', from
an intermediate router. With a VPN, there will be a lot of sockets
sharing the same SPI for the firewall-to-firewall key. This is true
whether key management is manual or automated.
I confess that I'm surprised by your response, since I seem to remember
talking about this with you, and you agreeing that this was a problem.