[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Issue #85 DROP'd inbound packet -- does not match SA
On Sun, Oct 12, 2003 at 05:05:12PM +0300, Tero Kivinen wrote:
> One possible solution to this is not to use ICMP messages at all.
> Because this kind of solution can only happen when the other end is
> configured incorrectly or have bugs. If the SA is manual keyed SA
> there is nothing we can really do. If it is IKE negotiated SA we could
> find out the IKE SA tied to the SA (in IKEv2 this is easy, for IKEv1
> it is harder, and the IKE SA might not be there anymore).
>
> INVALID_SELECTORS XX
>
> MAY be sent in an IKE INFORMATIONAL Exchange when a node
> receives an ESP or AH packet whose selectors do not match
> those of the SA on which it was delivered (and which
> caused the packet to be dropped). The Notification Data
> contains the start of the offending packet (as in ICMP
> messages) and the SPI field of the notification is set to
> match the SPI of the IPsec SA.
This seems like a good suggestion to me. The one downside is that it
requires adding the above text to the IKEv2 draft. But this is a
small enough change that I believe we could do so during or before the
IETF last call process.
Any objections with this approach?
- Ted