2401bis Issue # 83 -- DROP'd inbound packet -- missing requiredIPsec protection

[Karen Seo <kseo@bbn.com>]

Folks,

Here's a description and proposed approach for:

IPsec Issue #:	83

Title:		DROP'd inbound packet -- missing required IPsec protection

Description
===========
Should there be a defined ICMP response to be used (when dropping an 
inbound packet that was not protected by IPsec) to indicate to the 
sender that IPsec was required by the receiver who dropped the packet?

Proposed approach
=================
Add text saying something along the lines of...

"If an IPsec system receives an inbound (unprotected) packet for 
which the matching SPD entry requires IPsec protection, it MUST drop 
the packet.  It SHOULD also be capable of generating and sending an 
ICMP message to indicate to the sender that the receiver dropped the 
packet.  The reason SHOULD be recorded in the audit log.

IPv4	Type = 3 (destination unreachable)
	Code = 13 (Communication Administratively
                    Prohibited)

IPv6	Type = 1 (destination unreachable)
	Code = 1 (Communication with destination
                   administratively prohibited

Note that an attacker could send packets with a spoofed source 
address, W.X.Y.Z,  to an IPsec entity causing it to send ICMP 
messages to W.X.Y.Z.  This creates an opportunity to use an IPsec 
receiver in a DoS attack. To address this, the implementation SHOULD 
provide management controls to allow an administrator to configure an 
IPsec implementation to send or not send the above ICMP message, or 
to rate limit the transmission of such ICMP responses.

Thank you,
Karen