[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ICMP "Destination unreachable" - should it be sent?
Stephen Kent writes:
> > This strikes me as completely backward: the sender should *always*
> > send it. It is the *receiver's* job to determine whether it is
> > believable. Having the sender second guess what the receiver
> > should and should not discard sounds like a great way to cause
> > an interoperability deadlock.
>
> A receiving end system that has an IPsec Sg somewhere in front of it
> is not necessarily able to know whether the sender is a secure
> source. I interpret Henry's advice in the context of that SG, and
> there is seems appropriate.
I guess I'm being really dense -- or maybe I've
missed something pertinent -- because I don't
see the receiver's job any easier or harder
because there is an upstream SG. The upstream
SG may or may not filter ICMP, but that's just
a normal firewallesque filtering decision,
right? Maybe what I'm missing is what this
has to do with IPsec per se.
Mike
References: