[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ICMP PMTU processing relevant to IPSec.



Hi All,
   I have a question related to ICMP Path MTU message processing in IPSec. I
am referring only to IPv4. Section B.3.1 of RFC 2401 states:

	"However,if the ICMP message contains more information from the original
   	packet, then there may be enough information to immediately determine
   	to which host to propagate the ICMP/PMTU message and to provide that
   	system with the 5 fields (source address, destination address, source
   	port, destination port, and transport protocol) needed to determine
   	where to store/update the PMTU.  Under such circumstances, a security
   	gateway MUST generate an ICMP PMTU message immediately upon receipt
   	of an ICMP PMTU from further down the path. "

I would be thankful if anyone could clarify the following questions:
1. RFC 792 mentions that the ICMP Error data contains IP Header + 64 bits of
original Data. Is it possible in any case to get an ICMP error message
greater than the value specified ?.

2. If yes, what is the situation in which it may be generated.

3. If no, then is it really required to support the condition mentioned
above. Can anyone tell if all the well known implementations are supporting
that.

4. If it is required to be supported, then in case of ESP, we need to
decrypt the packet. I think this packet needs to be decrypted using Outbound
SA through which it was encrypted. The key for Inbound SA will be different.
Also the full IPSec'ed packet may not be available, due to which ESP tail
may not be available to identify the next protocol of ESP. Can anybody
explain how this should be taken care. Please correct me if I am wrong
anywhere.


----------------------------
Awan Kumar Sharma
Sr. Software Engg., NEC-DF
Future Software Ltd.,
Chennai, India.
Ph: 4330 550 Extn: 437
  (www.futsoft.com)
------------------------------