[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: 2401bis Issue # 85 -- DROP'd inbound packet -- does not match SA
This ICMP message MUST be sent encrypted using the reverse direction SA (or
similar appropriate terminology) and MUST NOT be sent in the clear.
At 01:49 AM 9/30/03 -0400, Karen Seo wrote:
>Folks,
>
>Here's a description and proposed approach for:
>
>IPsec Issue #: 85
>
>Title: DROP'd inbound packet -- does not match SA
>
>Description
>===========
>Should there be a defined ICMP response to be used when an IPsec
>implementation drops an inbound, IPsec-protected packet, whose
>selectors do not match those of the SA on which it was delivered?
>The intent is to indicate to the sender that the receiver dropped the
>packet.
>
>Proposed approach
>=================
>Add text saying something along the lines of...
>
>"If an IPsec system receives an inbound packet whose selectors do not
>match those of the SA on which it was delivered, it MUST drop the
>packet. It SHOULD also be capable of generating and sending an ICMP
>message to indicate to the sender (the IPsec encapsulator) that the
>packet has been dropped by the receiver. The reason SHOULD be
>recorded in the audit log.
>
>IPv4 Type = 3 (destination unreachable)
> Code = 13 (Communication Administratively
> Prohibited)
>
>IPv6 Type = 1 (destination unreachable)
> Code = 1 (Communication with destination
> administratively prohibited
>
>"The implementation SHOULD provide management controls to allow an
>administrator to configure an IPsec implementation to send or not
>send the above ICMP message, or to rate limit the transmission of
>such ICMP responses."
>
>Thank you,
>Karen
>
>