[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPv6 Neighbour Solicitation messages and IPsec
Jari,
>Stefan Schlott wrote:
>
> > functions of it) for the IPv6 stack of Linux, I finally allowed all ICMP
> > messages to pass unprocessed - securing ICMP broke too many things; this
> > is certainly not an optimal solution, but it'll have to be sufficient for
> > the moment. I don't think it will make much sense to process some kind
>
>This is a good first approximation to get things going. But I think
>it would be
>useful to try and understand the ICMP issue in a bit more detail. I'm
>thinking of a document that specifies how each ICMPv6 message should be
>treated in terms of IPsec. There are a bunch of interesting cases.
>For instance,
>
> * Ping. This is very useful for testing IPsec connections as well,
> having it not inside IPsec would lose that functionality.
> Not to mention the fact that on my computer, ping6 seems to
> be the *only* IPv6 application.
>
> * Path MTU discovery. Consider the following case:
>
> (N1)----(VPNGW1)----(R1)----(VPNGW2)-----(R2)----(N2)
>
> Assume N1 wants to send traffic to N2, part of the path
> goes through an insecure network part, secured using
> VPNGWs 1 and 2. And now Path MTU discovery is in
> progress between N1 and N2. Assume the smallest MTU
> is at R2. Then an ICMPv6 Packet Too Big message must be
> sent back towards the VPNGW2. Should that message
> go to the tunnel? I think it should.
There is nothing to prohibit transmission of this ICMP message via
the security gateways, if appropriate SPD entries exist.
Follow-Ups:
References: