[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ICMP "Destination unreachable" - should it be sent?
- To: Michael Thomas <mat@cisco.com>
- Subject: Re: ICMP "Destination unreachable" - should it be sent?
- From: Stephen Kent <kent@bbn.com>
- Date: Sat, 30 Sep 2000 16:10:26 -0400
- Cc: IP Security List <ipsec@lists.tislabs.com>
- In-Reply-To: <14805.3467.20133.51811@thomasm-u1.cisco.com>
- References: <20000927085920.B11807@blackbird.extern.uni-ulm.de><Pine.BSI.3.91.1000929134818.25495J-100000@spsystems.net><14805.3467.20133.51811@thomasm-u1.cisco.com>
- Sender: owner-ipsec@lists.tislabs.com
Mike,
>Henry Spencer writes:
> > On Wed, 27 Sep 2000, Stefan Schlott wrote:
> > > ..."Destination Unreachable Message
> > > Code 1 - communication with destination administratively prohibited"
> > > Should this message be sent when a packet does not conform to the local
> > > security policy database (spd), or should such packets be silently dis-
> > > carded?
> >
> > The central question is whether the ICMP message is believable.
> >
> > If it will flow via an authenticated path (e.g. an IPsec tunnel) or via a
> > physically-secure path (e.g. on the "interior" side of a security gateway,
> > where plaintext communication is normal), then sending it is probably
> > wise... although administrators might want to be able to control that.
> >
> > If it will flow via an insecure path, then what good is it? The receiver
> > can't trust it to tell the truth. At most, it might give the receiver a
> > hint that communications difficulties are occurring, but the receiver
> > cannot trust that report without confirming it by other means.
>
> This strikes me as completely backward: the sender should *always*
> send it. It is the *receiver's* job to determine whether it is
> believable. Having the sender second guess what the receiver
> should and should not discard sounds like a great way to cause
> an interoperability deadlock.
A receiving end system that has an IPsec Sg somewhere in front of it
is not necessarily able to know whether the sender is a secure
source. I interpret Henry's advice in the context of that SG, and
there is seems appropriate.
Steve
Follow-Ups: