[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
2401bis Issue # 83 -- DROP'd inbound packet -- missing requiredIPsec protection
Folks,
Here's a description and proposed approach for:
IPsec Issue #: 83
Title: DROP'd inbound packet -- missing required IPsec protection
Description
===========
Should there be a defined ICMP response to be used (when dropping an
inbound packet that was not protected by IPsec) to indicate to the
sender that IPsec was required by the receiver who dropped the packet?
Proposed approach
=================
Add text saying something along the lines of...
"If an IPsec system receives an inbound (unprotected) packet for
which the matching SPD entry requires IPsec protection, it MUST drop
the packet. It SHOULD also be capable of generating and sending an
ICMP message to indicate to the sender that the receiver dropped the
packet. The reason SHOULD be recorded in the audit log.
IPv4 Type = 3 (destination unreachable)
Code = 13 (Communication Administratively
Prohibited)
IPv6 Type = 1 (destination unreachable)
Code = 1 (Communication with destination
administratively prohibited
Note that an attacker could send packets with a spoofed source
address, W.X.Y.Z, to an IPsec entity causing it to send ICMP
messages to W.X.Y.Z. This creates an opportunity to use an IPsec
receiver in a DoS attack. To address this, the implementation SHOULD
provide management controls to allow an administrator to configure an
IPsec implementation to send or not send the above ICMP message, or
to rate limit the transmission of such ICMP responses.
Thank you,
Karen