[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Sec. Arch. and ICMP PMTU
Various parts of the security architecture document suggest forwarding ICMP
PMTU messages received by a SG to a host or a set of hosts. Section B.3.1
is one such place. Consider the example in section B.3.1.
H1 =================== H3
\ | | /
H0 -- SG1* ---- R1 ---- SG2* ---- R2 -- H5
/ ^ | \
H2 |........| H4
original after IPsec ICMP
packet processing packet
-------- ----------- ------
IP-3 header (S = R1, D = SG1)
ICMP header (includes PMTU)
IP-2 header IP-2 header (S = SG1, D = SG2)
ESP header minimum of 64 bits of ESP hdr (*)
IP-1 header IP-1 header
TCP header TCP header
TCP data TCP data
ESP trailer
(*) The 64 bits will include enough of the ESP (or AH) header to
include the SPI.
- ESP -- SPI (32 bits), Seq number (32 bits)
- AH -- Next header (8 bits), Payload Len (8 bits),
Reserved (16 bits), SPI (32 bits)
So, what SG1 gets from R1 is [IP-3] [ICMP hdr] [IP-2] [Atleast 64 bits of
the ESP header]. It is most likely that all of the IP-1 header and its
data are absent from the ICMP. Even if it were possible
to identify the host that sent the offending packet, what would could be
sent back to the host? Normally (no IPsec anywhere), the host would be
sent the ICMP PMTU with IP-1 and atleast 64 bits of data.
But since IP-1 is no longer available...
Thanks,
Sumit A. Vakil
3Com, Corp.