[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ICMP "Destination unreachable" - should it be sent?

To: Stephen Kent <kent@bbn.com>
Subject: Re: ICMP "Destination unreachable" - should it be sent?
From: Michael Thomas <mat@cisco.com>
Date: Mon, 2 Oct 2000 15:28:41 -0700 (PDT)
Cc: Michael Thomas <mat@cisco.com>, IP Security List <ipsec@lists.tislabs.com>
In-Reply-To: <v04220804b5fbf8d590c0@[171.78.60.45]>
References: <20000927085920.B11807@blackbird.extern.uni-ulm.de><Pine.BSI.3.91.1000929134818.25495J-100000@spsystems.net><14805.3467.20133.51811@thomasm-u1.cisco.com><v04220804b5fbf8d590c0@[171.78.60.45]>
Sender: owner-ipsec@lists.tislabs.com

Stephen Kent writes:
 > >    This strikes me as completely backward: the sender should *always*
 > >    send it. It is the *receiver's* job to determine whether it is
 > >    believable. Having the sender second guess what the receiver
 > >    should and should not discard sounds like a great way to cause
 > >    an interoperability deadlock.
 > 
 > A receiving end system that has an IPsec Sg somewhere in front of it 
 > is not necessarily able to know whether the sender is a secure 
 > source. I interpret Henry's advice in the context of that SG, and 
 > there is seems appropriate.

   I guess I'm being really dense -- or maybe I've
   missed something pertinent -- because I don't
   see the receiver's job any easier or harder
   because there is an upstream SG. The upstream
   SG may or may not filter ICMP, but that's just
   a normal firewallesque filtering decision,
   right? Maybe what I'm missing is what this
   has to do with IPsec per se.

	  Mike

References:

Re: ICMP "Destination unreachable" - should it be sent?

From: Stephen Kent <kent@bbn.com>

Prev by Date: Rijndael selected as AES
Next by Date: Re: ICMP "Destination unreachable" - should it be sent?
Prev by thread: Re: ICMP "Destination unreachable" - should it be sent?
Next by thread: Re: ICMP "Destination unreachable" - should it be sent?
Index(es):
- Main
- Thread