[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipsec error codes

To: Pyda Srisuresh <suresh@livingston.com>
Subject: Re: ipsec error codes
From: "Scott G. Kelly" <skelly@redcreek.com>
Date: Fri, 09 Apr 1999 09:27:23 -0700
CC: ipsec@lists.tislabs.com
Organization: RedCreek Communications
References: <199904091308.GAA02231@kc.livingston.com>
Sender: owner-ipsec@lists.tislabs.com

Hi Suresh,

Pyda Srisuresh wrote:
> 
> <... snip>
> > I'd like some input on this before attempting to write up something more
> > substantial. Are there additional requirements? Are the ones specified
> > here correct?
> >
> > Scott
> >
> Here is my thinking on this.
> 
> When a packet is dropped at any node across the network due to
> enforcement of a certain policy, it would be beneficial for the
> end-node (that originated the packet) to know the policy that
> caused the packets to drop and why.
> 

One obvious concern with this would be denial of service attacks, i.e.
now, you not only have to reject the packet, but you have to send out a
meaningless notification as well. I suppose that if you could configure
the device to only respond to known (that is, configured) endpoints,
this would mitigate the risk, though not eliminate it entirely.

Scott

Follow-Ups:

Re: ipsec error codes

From: Paul Koning <pkoning@xedia.com>

References:

Re: ipsec error codes

From: suresh@livingston.com (Pyda Srisuresh)

Prev by Date: Re: ipsec error codes
Next by Date: Re: ipsec error codes
Prev by thread: Re: ipsec error codes
Next by thread: Re: ipsec error codes
Index(es):
- Main
- Thread