[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPv6 Neighbour Solicitation messages and IPsec


>Stefan Schlott wrote:
>  > functions of it) for the IPv6 stack of Linux, I finally allowed all ICMP
>  > messages to pass unprocessed - securing ICMP broke too many things; this
>  > is certainly not an optimal solution, but it'll have to be sufficient for
>  > the moment. I don't think it will make much sense to process some kind
>This is a good first approximation to get things going. But I think 
>it would be
>useful to try and understand the ICMP issue in a bit more detail. I'm
>thinking of a document that specifies how each ICMPv6 message should be
>treated in terms of IPsec. There are a bunch of interesting cases.
>For instance,
>	* Ping. This is very useful for testing IPsec connections as well,
>	  having it not inside IPsec would lose that functionality.
>	  Not to mention the fact that on my computer, ping6 seems to
>	  be the *only* IPv6 application.
>	* Path MTU discovery. Consider the following case:
>	   (N1)----(VPNGW1)----(R1)----(VPNGW2)-----(R2)----(N2)
>	  Assume N1 wants to send traffic to N2, part of the path
>	  goes through an insecure network part, secured using
>	  VPNGWs 1 and 2. And now Path MTU discovery is in
>	  progress between N1 and N2. Assume the smallest MTU
>	  is at R2. Then an ICMPv6 Packet Too Big message must be
>	  sent back towards the VPNGW2. Should that message
>	  go to the tunnel? I think it should.

There is nothing to prohibit transmission of this ICMP message via 
the security gateways, if appropriate SPD entries exist.

Follow-Ups: References: