[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 2401bis Issue # 85 -- DROP'd inbound packet -- does not match SA

To: tardo@acm.org
Subject: Re: 2401bis Issue # 85 -- DROP'd inbound packet -- does not match SA
From: Markku Savela <msa@burp.tkv.asdf.org>
Date: Wed, 1 Oct 2003 11:06:08 +0300
CC: kseo@bbn.com, ipsec@lists.tislabs.com
In-reply-to: <3.0.5.32.20030930211101.008531f0@pop.mindspring.com>(tardo@acm.org)
References: <3.0.5.32.20030930211101.008531f0@pop.mindspring.com>
Sender: owner-ipsec@lists.tislabs.com


> From: "Joseph J. Tardo" <tardo@acm.org>
> 
> This ICMP message MUST be sent encrypted using the reverse direction SA (or
> similar appropriate terminology) and MUST NOT be sent in the clear.

Using what encryption?

  a) you have policy selector entry for this ICMP message? Doubtfully
  working, as other end is already shown to be badly out of synch in
  respect to policies..

  b) use the selectors extracted from the returned packet (instead of
  the outer Error ICMP) to choose the policy and IPSEC for the ICMP
  message.

  c) use the incoming SA's to find suitable matching outgoing SA's and
  use them (doubtful, as such they may not exist, and this would
  bypass the SPD, and could expose some security problems).

I consider the (b) to be the "right" way to do it in general for ICMP
error messages, but in this case again, it's unlikely that other end
would accept it (because it already has shown to be using incorrect
policy).


> >Here's a description and proposed approach for:
> >
> >IPsec Issue #:	85
> >
> >Title:		DROP'd inbound packet -- does not match SA
> >
> >Description
> >===========
> >Should there be a defined ICMP response to be used when an IPsec 
> >implementation  drops an inbound, IPsec-protected packet, whose 
> >selectors do not match those of the SA on which it was delivered? 
> >The intent is to indicate to the sender that the receiver dropped the 
> >packet.
> >
> >Proposed approach
> >=================
> >Add text saying something along the lines of...
> >
> >"If an IPsec system receives an inbound packet whose selectors do not 
> >match those of the SA on which it was delivered, it MUST drop the 
> >packet.  It SHOULD also be capable of generating and sending an ICMP 
> >message to indicate to the sender (the IPsec encapsulator) that the 
> >packet has been dropped by the receiver.  The reason SHOULD be 
> >recorded in the audit log.
> >
> >IPv4	Type = 3 (destination unreachable)
> >	Code = 13 (Communication Administratively
> >                    Prohibited)
> >
> >IPv6	Type = 1 (destination unreachable)
> >	Code = 1 (Communication with destination
> >                   administratively prohibited
> >
> >"The implementation SHOULD provide management controls to allow an 
> >administrator to configure an IPsec implementation to send or not 
> >send the above ICMP message, or to rate limit the transmission of 
> >such ICMP responses."
> >
> >Thank you,
> >Karen
> >
> >
>

Follow-Ups:
- Re: 2401bis Issue # 85 -- DROP'd inbound packet -- does not match SA
  - From: Tero Kivinen <kivinen@ssh.fi>

References:
- Re: 2401bis Issue # 85 -- DROP'd inbound packet -- does not match SA
  - From: "Joseph J. Tardo" <tardo@acm.org>

Prev by Date: Re: 2401bis Issue # 85 -- DROP'd inbound packet -- does not match SA
Next by Date: Re: 2401bis Issue # DD -- Anti-replay notification
Prev by thread: Re: 2401bis Issue # 85 -- DROP'd inbound packet -- does not match SA
Next by thread: Re: 2401bis Issue # 85 -- DROP'd inbound packet -- does not match SA
Index(es):
- Date
- Thread