Re: ICMP Parameter Problem Message.

[Michael Richardson <mcr@sandelman.ottawa.on.ca>]

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Mukesh" == Mukesh Gupta <Mukesh.Gupta@nokia.com> writes:

    Mukesh> Let say a gateway has a loadable ipsec module and it loads it 
    Mukesh> only when it has a IPsec policy configured. This gateway receives
    Mukesh> an IPv6 ESP packet. As the IPsec module is not loaded, the IPv6 
    Mukesh> stack doesn't recongnize the next header type ESP and reply with
    Mukesh> ICMP Parameter Problem (unrecognized next header type).

    Mukesh> The question is:

    Mukesh> should this ICMP message be sent in this case or should the ESP
    Mukesh> packet be dropped silently ?
    Mukesh> because the gateway does recognize next header type ESP.

  Assuming that the module was loaded, an ICMP SPI unknown might be sent
by some implementations. Most drop it. 
  So, what is the concern exactly?

]      Out and about in Ottawa.    hmmm... beer.                |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian/notebook using, kernel hacking, security guy");  [


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys - custom hacks make this fully PGP2 compat

iQCVAwUBP0raM4qHRg3pndX9AQEOLAP+PoMAMQZ3nzFxqrozOO9+rnin4YVeCqfF
BQB6EFXFkchmuMSze2+1MzP4nMcJCMy0oo+iE0E9xv27MnkKpNn94K2fQzmzcs7A
4OxdohkdbVXyGZ7LKLTdZgmxjNlNAsD9M7Jc+HDgywzEoBSck3A8KP0LpsrmQ6tP
wkw88KhvYN8=
=WA/s
-----END PGP SIGNATURE-----