[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPv6 Neighbour Solicitation messages and IPsec

To: "Matt Crawford" <crawdad@fnal.gov>
Subject: Re: IPv6 Neighbour Solicitation messages and IPsec
From: Bill Sommerfeld <sommerfeld@East.Sun.COM>
Date: Tue, 19 Dec 2000 14:09:29 -0500
cc: jarkko@piuha.net, ipsec@lists.tislabs.com, ipng@sunroof.eng.sun.com
In-reply-to: Your message of "Tue, 19 Dec 2000 12:54:36 CST." <200012191854.MAA08694@gungnir.fnal.gov>
Reply-to: sommerfeld@East.Sun.COM
Sender: owner-ipsec@lists.tislabs.com

> > which in turn would prevent all communications. Also, as per RFC
> > 2401 we do not in general have the possibility to specify policies
> > for individual ICMP message types.
> 
> This passed the IESG in RFC 2894 (so it must be true):
> 
> 
>    Note that for the SPD to distinguish Router Renumbering from other
>    ICMP packets requires the use of the ICMP Type field as a selector.
>    This is consistent with, although not mentioned by, the Security
>    Architecture specification [IPSEC].
> 
> It's no contradiction with what you said, though.

It should also be said that many ipsec implementors recognize the need
to have special support for icmp in ipsec policy; besides icmp type,
there's also the matter of protecting icmp errors using the "same"
policy as the traffic that generated them..

					- Bill

References:

Re: IPv6 Neighbour Solicitation messages and IPsec

From: "Matt Crawford" <crawdad@fnal.gov>

Prev by Date: RE: MODP groups draft concern
Next by Date: build the non-kernel FreeS/WAN programs and install them in /usr/local/sbin
Prev by thread: Re: IPv6 Neighbour Solicitation messages and IPsec
Next by thread: Re: IPv6 Neighbour Solicitation messages and IPsec
Index(es):
- Main
- Thread