[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Issue #83, #84: (was: Last Call on 2401bis issues 72, 73, 76, 79, 80, 83, 84)
- To: Barbara Fraser <byfraser@cisco.com>
- Subject: Issue #83, #84: (was: Last Call on 2401bis issues 72, 73, 76, 79, 80, 83, 84)
- From: Tero Kivinen <kivinen@ssh.fi>
- Date: Fri, 10 Oct 2003 11:09:58 +0300
- Cc: ipsec@lists.tislabs.com, tytso@mit.edu, angelos@cs.columbia.edu
- In-Reply-To: <4.3.2.7.2.20031009115135.05d6db40@mira-sjc5-4.cisco.com>
- Organization: SSH Communications Security Oy
- References: <4.3.2.7.2.20031009115135.05d6db40@mira-sjc5-4.cisco.com>
- Sender: owner-ipsec@lists.tislabs.com
Barbara Fraser writes:
> Debugging Support:
> 83 DROP'd inbound packet -- missing required IPsec protection - debug support
> 84 DROP'd outbound packet - debug support
Both of these have text that says:
----------------------------------------------------------------------
To address this, the implementation SHOULD provide management controls
to allow an administrator to configure an IPsec implementation to send
or not send the above ICMP message, or to rate limit the transmission
of such ICMP responses.
----------------------------------------------------------------------
I.e either allow configuration option to disable or enable ICMP, *or*
rate limit them.
I think that even if there is option to disable ICMPs there SHOULD be
way to rate limit them, i.e if the implementation allows sending ICMPs
there must always way to rate limit them.
So the new text could be:
----------------------------------------------------------------------
To address this, the implementation SHOULD provide management controls
to allow an administrator to configure an IPsec implementation to send
or not send the above ICMP message, and to rate limit the transmission
of such ICMP responses.
----------------------------------------------------------------------
(i.e change or => and).
--
kivinen@ssh.fi
SSH Communications Security http://www.ssh.fi/
SSH IPSEC Toolkit http://www.ssh.fi/ipsec/