[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ICMP "Destination unreachable" - should it be sent?



On Wed, 27 Sep 2000, Stefan Schlott wrote:
> ..."Destination Unreachable Message
> Code 1 - communication with destination administratively prohibited"
> Should this message be sent when a packet does not conform to the local
> security policy database (spd), or should such packets be silently dis-
> carded?

The central question is whether the ICMP message is believable.

If it will flow via an authenticated path (e.g. an IPsec tunnel) or via a
physically-secure path (e.g. on the "interior" side of a security gateway,
where plaintext communication is normal), then sending it is probably
wise... although administrators might want to be able to control that. 

If it will flow via an insecure path, then what good is it?  The receiver
can't trust it to tell the truth.  At most, it might give the receiver a
hint that communications difficulties are occurring, but the receiver
cannot trust that report without confirming it by other means. 

                                                          Henry Spencer
                                                       henry@spsystems.net



Follow-Ups: References: