RE: IPv6 Neighbour Solicitation messages and IPsec

["Joseph D. Harwood" <jharwood@vesta-corp.com>]

Has not securing ICMP messages caused any interoperability problems that
you've heard of?

Best Regards,
Joseph D. Harwood
jharwood@vesta-corp.com
www.vesta-corp.com

> -----Original Message-----
> From: owner-ipsec@lists.tislabs.com
> [mailto:owner-ipsec@lists.tislabs.com]On Behalf Of Stefan Schlott
> Sent: Sunday, December 10, 2000 11:26 PM
> To: ipsec@lists.tislabs.com
> Subject: Re: IPv6 Neighbour Solicitation messages and IPsec
>
>
> Hello,
>
> > I'm wondering if there are any documents that specify rules
> regarding the
> > use of IPsec in the context of IPv6 Neighbor Solicitations and possibly
> > other ICMPv6 messages.
> > (...)
> > I've run in to an interesting chicken-and-egg problem in this
> area as I'm
> > developing an IPv6 IPsec implementation. If I set my policies
> in a way that
> > all traffic in a LAN/WLAN should be protected with IPsec, then
> even some of these
> > ICMPv6 messages are trapped by IPsec.
> IKE uses its own protection mechanisms and should be allowed to pass IPsec
> unprocessed. During my efforts to implement IPsec (or, at least,
> some basic
> functions of it) for the IPv6 stack of Linux, I finally allowed all ICMP
> messages to pass unprocessed - securing ICMP broke too many things; this
> is certainly not an optimal solution, but it'll have to be sufficient for
> the moment. I don't think it will make much sense to process some kind
> of ICMP messages (e.g. ping). Enforcing IPsec on other ICMP messages will
> break interoperability with non-IPsec hosts, and making IPsec simply
> optional doesn't make sense imho.
>
> Stefan.
>
> --
> *--- please cut here... --------------------------------------
> thanks! ---*
> |-> E-Mail: stefan.schlott@informatik.uni-ulm.de    PGP-Key:
> 0x2F36F4FE <-|
> | If Bill Gates had a dime for every time a Windows box
> crashed... oh,    |
> | wait a minute -- he already does.
>         |
> |   -- Seen on Slashdot (19.04.2000)
>         |
> *-----------------------------------------------------------------
> --------*
>
BEGIN:VCARD
VERSION:2.1
N:Harwood;Joseph;D.
FN:Joseph D. Harwood
ORG:Vesta Corporation
ADR;WORK:;(408) 838-9434;5201 Great America Parkway, Suite 320;Santa Clara;CA;95054
LABEL;WORK;ENCODING=QUOTED-PRINTABLE:(408) 838-9434=0D=0A5201 Great America Parkway, Suite 320=0D=0ASanta Clara, =
CA 95054
URL:
URL:http://www.vesta-corp.com
EMAIL;PREF;INTERNET:jharwood@vesta-corp.com
REV:20001011T162328Z
END:VCARD

---

Follow-Ups:

• Re: IPv6 Neighbour Solicitation messages and IPsec
• From: Stefan Schlott <stefan.schlott@informatik.uni-ulm.de>

References:

• Re: IPv6 Neighbour Solicitation messages and IPsec
• From: Stefan Schlott <stefan.schlott@informatik.uni-ulm.de>

---

• Prev by Date: IKE notifications
• Next by Date: Re: IKE should not do policy [Re: Query : PF_KEY related]
• Prev by thread: Re: IPv6 Neighbour Solicitation messages and IPsec
• Next by thread: Re: IPv6 Neighbour Solicitation messages and IPsec
• Index(es):
  • Main
  • Thread