[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKE negotiation for ICMP message type selectors

To: Stephen Kent <kent@bbn.com>
Subject: Re: IKE negotiation for ICMP message type selectors
From: Vijay Devarapalli <vijayd@iprg.nokia.com>
Date: Wed, 25 Jun 2003 19:12:35 -0700
CC: sommerfeld@east.sun.com, ipsec@lists.tislabs.com
References: <200306260059.h5Q0xeq3003180@thunk.east.sun.com>
Sender: owner-ipsec@lists.tislabs.com

Bill Sommerfeld wrote:
> 
> > For example, we've had discussion on the list about using ICMP
> > message type fields in lieu of port fields, when ICMP was the
> > payload.
> >
> > What do people think, and why?
> 
> Long overdue.
> 
> Particularly important for IKE and IPv6 (as, pending introduction of
> some facility to secure Neighbor Discovery) you likely want ND traffic
> in clear while other ICMPv6 traffic is protected.

agree.

infact Mobile IPv6 makes use of ICMP messages to convey 
to the mobile node changes in the set of IPv6 prefixes
advertised on the home link. we use ESP in transport mode
betwen the Home Agent and the mobile node for protecting
these messages. since IPsec does not look at the ICMP type, 
it ends up protecting all ICMP messages between the mobile 
node and the Home Agent.

and I believe ICMP can be used for lot more than just
error messages. a lot of protocols can make use of ICMP
for signaling. so, it would be great if IPsec looks at the
ICMP type field.

Vijay

References:
- Re: IKE negotiation for ICMP message type selectors
  - From: Bill Sommerfeld <sommerfeld@east.sun.com>

Prev by Date: Re: IKE negotiation for ICMP message type selectors
Next by Date: Re: IKE negotiation for ICMP message type selectors
Prev by thread: Re: IKE negotiation for ICMP message type selectors
Next by thread: Re: IKE negotiation for ICMP message type selectors
Index(es):
- Date
- Thread