[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 2401bis Issue # 84 -- DROP'd outbound packet

To: ipsec@lists.tislabs.com, Francis Dupont <Francis.Dupont@enst-bretagne.fr>, clynn@bbn.com
Subject: Re: 2401bis Issue # 84 -- DROP'd outbound packet
From: Karen Seo <kseo@bbn.com>
Date: Wed, 15 Oct 2003 00:08:47 -0400
Cc: kseo@bbn.com
In-Reply-To: <200310011440.h91EePHN072102@givry.rennes.enst-bretagne.fr>
References: <200310011440.h91EePHN072102@givry.rennes.enst-bretagne.fr>
Sender: owner-ipsec@lists.tislabs.com

Folks,

	Thank you for the suggestions re: which code to use for the
	following case....

>b2. the IPsec system was unable to set up the SA required by the SPD 
>entry matching the packet because the IPsec peer at the other end of 
>the exchange could not be contacted.  The type should be destination 
>unreachable, but what codes should we use?

	While it would be desirable for the sender to be notified
	of the true cause of the failure to set up the needed SA,
	given that the IPsec system may not be able to verify the
	ICMP info it receives about the cause of the set up failure,
	how about if we use:

		IPv4	Type = 3 (destination unreachable)
			Code = 1 (host unreachable)

		IPv6	Type = 1 (destination unreachable)
			Code = 3 (address unreachable)

	This would let us avoid the effort and time to needed to
	define and obtain additional types and codes.

Thanks again,
Karen

References:
- Re: 2401bis Issue # 84 -- DROP'd outbound packet
  - From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>

Prev by Date: Re: IKEv2 Correction (editorial)
Next by Date: Re: Issue 68 ("VPNs with overlapping IP address ranges")
Prev by thread: Re: 2401bis Issue # 84 -- DROP'd outbound packet
Next by thread: RE: 2401bis Issue # 75 -- TOS (now ECN) copying in tunnel mode
Index(es):
- Date
- Thread