[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 2401bis Issue # 84 -- DROP'd outbound packet

To: Charles Lynn <clynn@bbn.com>
Subject: Re: 2401bis Issue # 84 -- DROP'd outbound packet
From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
Date: Wed, 01 Oct 2003 16:40:25 +0200
cc: ipsec@lists.tislabs.com
In-reply-to: Your message of Tue, 30 Sep 2003 10:03:04 EDT. <20030930140304.EEDCD16508@wolfe.bbn.com>
Sender: owner-ipsec@lists.tislabs.com

 In your previous mail you wrote:

   Francis observes:

   > => IMHO the code should follow the reason why the IPsec peer could not
   > be contacted with code 1 by default?

   To amplify, it is hard for the receiver of an ICMP message that only
   uses one code to decide how to respond/notify the user about the
   detected error.  There are several cases:

   1) There are (temporary) network connectivity problems during IKE; the
      communication should be retried "in a while".

=> if the source of the problem is known so the code to use is known,
if it is not known, code 1 is a good default.

   2) There are (temporary) (black or red) network connectivity problems
      during the user's communication, the communication may not succeed
      at the current time; one could wait, or try again later.

=> same.

   3) The communication is prohibited by policy; do not retry until the
      security officer(s) have reached an agreement.  Note that the
      prohibition can be detected by either of the IKE peers.

=> code 1

   4) The packet that was received is protected as required by the local
      policy, but it is not a packet that should be sent via the SA that
      was used (access control violation); your implementation is broken,
      or your key has been compromised.  The SG transiting the ICMP might
      try to rekey the SA to establish a new key, but that will not fix a
      broken implementation.

=> code 1

   5) The packet that was received is not protected as required by the
      local policy; this could be part of a DDoS attack, so a way to
      limit the ICMP rate is especially important in this case.

=> code 1 (and I agree about the rate limit)

   It would be nice it the user could be given some indication of the
   problem so that they could initiate corrective action.

   Should we define additional ICMP codes to distinguish the cases?
   I think we should.

=> if you believe we need new things, IMHO it should be a new type and
not new codes. And it should be easier to get...

Regards

Francis.Dupont@enst-bretagne.fr

PS: code 1 is "communication with destination administratively prohibited".

Follow-Ups:
- Re: 2401bis Issue # 84 -- DROP'd outbound packet
  - From: Karen Seo <kseo@bbn.com>

Prev by Date: No Subject
Next by Date: RE: 2401bis Issue # 75 -- TOS (now ECN) copying in tunnel mode
Prev by thread: No Subject
Next by thread: Re: 2401bis Issue # 84 -- DROP'd outbound packet
Index(es):
- Date
- Thread