[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ICMP message from SG to Host to say "Need access to TCP or UDP Protocol or Port information"

To: ipsec@lists.tislabs.com
Subject: ICMP message from SG to Host to say "Need access to TCP or UDP Protocol or Port information"
From: "Waters, Stephen" <Stephen.Waters@cabletron.com>
Date: Tue, 19 Oct 1999 11:47:40 +0100
Sender: owner-ipsec@lists.tislabs.com



I've just had a scan on Appendix D of the IPSEC architecture for help on
generating an ICMP from a Security Gateway to a 'protected host' :

Host1----SG1-----SG2----Host2

If Host1 sends packets to Host2 that are ipsec-blocked by SG1, what ICMP
Name/Code could SG1 generate?

What starting me thinking about this was the problem of Host1 generating ESP
or IPCOMP packets that obscured the inner TCP/UDP details needed by SG1 to
match on a policy, but I guess this is a generic problem of 'policy block'.
Does "Destination Network Unreachable for Type of Service" cover it.

Cheers, Steve.

Follow-Ups:

Re: ICMP message from SG to Host to say "Need access to TCP orUDP P rotocol or Port information"

From: Stephen Kent <kent@po1.bbn.com>

Prev by Date: Re: PPP over IPSec (without L2TP)?
Next by Date: I-D ACTION:draft-ietf-ipsec-pki-req-03.txt
Prev by thread: Re: Outbound interface as a selector
Next by thread: Re: ICMP message from SG to Host to say "Need access to TCP orUDP P rotocol or Port information"
Index(es):
- Main
- Thread