[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ICMP error generation
Sabrina Minshall wrote:
> Hi All,
> suppose a VPN gateway encrypts a packet and the next hop to the
> tunnel (endpoint) is unreachable. What should be done? Should
> the packet be dropped (without generating an ICMP host/net
> unreachable?).
>
> sabrina
This is more of a tunnel issue.
RFC2003, although not exactly what IPsec specifies, addresses these
issues for IP-encapsulation tunnels already.
Notably Sec 3.2 says the packet SHOULD be dropped, and Sec 4.1 says that
an ICMP Unreachable SHOULD be returned.
RFC2401 addresses the IPsec-specific version, which includes some
additional filtering rules which do not appear to preclude 2003-style
handling.
Joe