[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPv6 Neighbour Solicitation messages and IPsec
Hello,
> I'm wondering if there are any documents that specify rules regarding the
> use of IPsec in the context of IPv6 Neighbor Solicitations and possibly
> other ICMPv6 messages.
> (...)
> I've run in to an interesting chicken-and-egg problem in this area as I'm
> developing an IPv6 IPsec implementation. If I set my policies in a way that
> all traffic in a LAN/WLAN should be protected with IPsec, then even some of these
> ICMPv6 messages are trapped by IPsec.
IKE uses its own protection mechanisms and should be allowed to pass IPsec
unprocessed. During my efforts to implement IPsec (or, at least, some basic
functions of it) for the IPv6 stack of Linux, I finally allowed all ICMP
messages to pass unprocessed - securing ICMP broke too many things; this
is certainly not an optimal solution, but it'll have to be sufficient for
the moment. I don't think it will make much sense to process some kind
of ICMP messages (e.g. ping). Enforcing IPsec on other ICMP messages will
break interoperability with non-IPsec hosts, and making IPsec simply
optional doesn't make sense imho.
Stefan.
--
*--- please cut here... -------------------------------------- thanks! ---*
|-> E-Mail: stefan.schlott@informatik.uni-ulm.de PGP-Key: 0x2F36F4FE <-|
| If Bill Gates had a dime for every time a Windows box crashed... oh, |
| wait a minute -- he already does. |
| -- Seen on Slashdot (19.04.2000) |
*-------------------------------------------------------------------------*
Follow-Ups:
References: