2401bis Issue # 85 -- DROP'd inbound packet -- does not match SA

[Karen Seo <kseo@bbn.com>]

Folks,

Here's a description and proposed approach for:

IPsec Issue #:	85

Title:		DROP'd inbound packet -- does not match SA

Description
===========
Should there be a defined ICMP response to be used when an IPsec 
implementation  drops an inbound, IPsec-protected packet, whose 
selectors do not match those of the SA on which it was delivered? 
The intent is to indicate to the sender that the receiver dropped the 
packet.

Proposed approach
=================
Add text saying something along the lines of...

"If an IPsec system receives an inbound packet whose selectors do not 
match those of the SA on which it was delivered, it MUST drop the 
packet.  It SHOULD also be capable of generating and sending an ICMP 
message to indicate to the sender (the IPsec encapsulator) that the 
packet has been dropped by the receiver.  The reason SHOULD be 
recorded in the audit log.

IPv4	Type = 3 (destination unreachable)
	Code = 13 (Communication Administratively
                    Prohibited)

IPv6	Type = 1 (destination unreachable)
	Code = 1 (Communication with destination
                   administratively prohibited

"The implementation SHOULD provide management controls to allow an 
administrator to configure an IPsec implementation to send or not 
send the above ICMP message, or to rate limit the transmission of 
such ICMP responses."

Thank you,
Karen