[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ICMP error generation

To: Sabrina Minshall <sabrina@accesscom.com>
Subject: Re: ICMP error generation
From: Joe Touch <touch@ISI.EDU>
Date: Tue, 03 Sep 2002 09:41:30 -0700
CC: ipsec@lists.tislabs.com, Sabrina Minshall<sabrina@shell.accesscom.com>
References: <200208310218.TAA09565@shell.accesscom.com>
Sender: owner-ipsec@lists.tislabs.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0.0) Gecko/20020530

Sabrina Minshall wrote:
> Hi All,
>   suppose a VPN gateway encrypts a packet and the next hop to the
>   tunnel (endpoint) is unreachable. What should be done? Should
>   the packet be dropped (without generating an ICMP host/net
>   unreachable?).
> 
>   sabrina

This is more of a tunnel issue.

RFC2003, although not exactly what IPsec specifies, addresses these 
issues for IP-encapsulation tunnels already.

Notably Sec 3.2 says the packet SHOULD be dropped, and Sec 4.1 says that 
an ICMP Unreachable SHOULD be returned.

RFC2401 addresses the IPsec-specific version, which includes some 
additional filtering rules which do not appear to preclude 2003-style 
handling.

Joe

References:
- ICMP error generation
  - From: Sabrina Minshall <sabrina@accesscom.com>

Prev by Date: RE: Last ditch proposal for crypto suites
Next by Date: Re: suites - phase 1 vs 2
Prev by thread: ICMP error generation
Next by thread: Re: IPSec v6 on linux
Index(es):
- Date
- Thread