[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
2401bis Issue # 85 -- DROP'd inbound packet -- does not match SA
Folks,
Here's a description and proposed approach for:
IPsec Issue #: 85
Title: DROP'd inbound packet -- does not match SA
Description
===========
Should there be a defined ICMP response to be used when an IPsec
implementation drops an inbound, IPsec-protected packet, whose
selectors do not match those of the SA on which it was delivered?
The intent is to indicate to the sender that the receiver dropped the
packet.
Proposed approach
=================
Add text saying something along the lines of...
"If an IPsec system receives an inbound packet whose selectors do not
match those of the SA on which it was delivered, it MUST drop the
packet. It SHOULD also be capable of generating and sending an ICMP
message to indicate to the sender (the IPsec encapsulator) that the
packet has been dropped by the receiver. The reason SHOULD be
recorded in the audit log.
IPv4 Type = 3 (destination unreachable)
Code = 13 (Communication Administratively
Prohibited)
IPv6 Type = 1 (destination unreachable)
Code = 1 (Communication with destination
administratively prohibited
"The implementation SHOULD provide management controls to allow an
administrator to configure an IPsec implementation to send or not
send the above ICMP message, or to rate limit the transmission of
such ICMP responses."
Thank you,
Karen