[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Security Arch and ICMP.

To: ipsec@tis.com
Subject: Security Arch and ICMP.
From: Gordon Oliver <gordo@telsur.cl>
Date: Tue, 2 Dec 1997 14:30:26 -0300
Sender: owner-ipsec@ex.tis.com


Hi.

In trying to deal with ICMP I have several questions for which the answers
are not clear from the Security architecture document (draft...arch-sec-03)

First, when we get back an ICMP packet that signifies an error that will not
necessarily recover (i.e. not MTU), we may fail to have enough information to
forward the ICMP packet (the ICMP contains only enough for the IPsec headers)
What should be done? Dropping the ICMP on the floor will cause poor behaviour
on the network... (suppose it'd work though)

Second, when the IPsec headers drop the PMTU below the acceptable limit (e.g.
below zero), what should be passed up/forwarded to other hosts. It seems that
low MTU's should be handled by lying to the sender, and fragmenting. Otherwise
the IPsec headers are going to eat an unreasonable amount of bandwidth.

Third, and finally, perhaps more thourough checks should be specified for
ICMP. I.e. MUST verify that the given SA has been used, MUST verify that
the packet header could be associated with the SA, etc.
	-gordo

--
---------------------------------------------------------------
Gordon Oliver	(gordo@telsur.cl)	Independent Consultant
	... Available for consulting on Linux  ...

Prev by Date: I-D ACTION:draft-ietf-ipsec-isakmp-gss-auth-00.txt
Next by Date: Re: ISAKMP gateway function
Prev by thread: I-D ACTION:draft-ietf-ipsec-isakmp-gss-auth-00.txt
Next by thread: Re: ISAKMP gateway function
Index(es):
- Main
- Thread