[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ipsec error codes
Hi Suresh,
Pyda Srisuresh wrote:
>
> <... snip>
> > I'd like some input on this before attempting to write up something more
> > substantial. Are there additional requirements? Are the ones specified
> > here correct?
> >
> > Scott
> >
> Here is my thinking on this.
>
> When a packet is dropped at any node across the network due to
> enforcement of a certain policy, it would be beneficial for the
> end-node (that originated the packet) to know the policy that
> caused the packets to drop and why.
>
One obvious concern with this would be denial of service attacks, i.e.
now, you not only have to reject the packet, but you have to send out a
meaningless notification as well. I suppose that if you could configure
the device to only respond to known (that is, configured) endpoints,
this would mitigate the risk, though not eliminate it entirely.
Scott
Follow-Ups:
References: