[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ICMP Error replies and IPSEC

To: <ipsec@lists.tislabs.com>
Subject: ICMP Error replies and IPSEC
From: "Markku Savela" <Markku.Savela@research.nokia.com>
Date: Wed, 6 Sep 2000 10:22:58 +0300
Importance: Normal
In-Reply-To: <200009050249.WAA21535@solidum.com>
Sender: owner-ipsec@lists.tislabs.com

> From: EXT Michael Richardson [mailto:mcr@solidum.com]

>   There are two possibilities:
> 1) ICMP error codes are considered to be a
> meta-protocol (which is
> architecturally correct), and thus they "fit" into TCP-only
> protocols because ICMP error codes contain an IP/TCP
> header that
> (once Src<->Dst swapped) fits into that SA.

I experimentally changed my IPSEC to handle IPv4 ICMP errors as above. IPv4
has no clear separation between ICMP error types and others, but I used the
following:

Unreachable	= 3;
SourceQuench = 4;
Redirect = 5;
TimeExceeded = 11;
ParameterProblem = 12;

Did I miss any?

And when picking up the information to match the IPSEC selectors, if the
protocol is ICMP and the type is one of the above, I use the protocol and
ports from the inner IPv4 header (swapped) to find the selector and bundle
to apply. (btw. as far as I can see, swapped inner src/dst should in most
cases be the same as the src/dst in the outer header anyway).

Anyone else trying this?

References:

Re: Protocol specific and port specific SAs

From: Michael Richardson <mcr@solidum.com>

Prev by Date: IPSec interop workshop Schedule
Next by Date: IKE Delete payloads
Prev by thread: Re: Protocol specific and port specific SAs
Next by thread: IPsec Global Summit
Index(es):
- Main
- Thread