Re: Issue #85 DROP'd inbound packet -- does not match SA

["Theodore Ts'o" <tytso@mit.edu>]

On Sun, Oct 12, 2003 at 05:05:12PM +0300, Tero Kivinen wrote:
> One possible solution to this is not to use ICMP messages at all.
> Because this kind of solution can only happen when the other end is
> configured incorrectly or have bugs. If the SA is manual keyed SA
> there is nothing we can really do. If it is IKE negotiated SA we could
> find out the IKE SA tied to the SA (in IKEv2 this is easy, for IKEv1
> it is harder, and the IKE SA might not be there anymore).
> 
>         INVALID_SELECTORS                          XX
> 
>             MAY be sent in an IKE INFORMATIONAL Exchange when a node
>             receives an ESP or AH packet whose selectors do not match
>             those of the SA on which it was delivered (and which
>             caused the packet to be dropped). The Notification Data
>             contains the start of the offending packet (as in ICMP
>             messages) and the SPI field of the notification is set to
>             match the SPI of the IPsec SA. 

This seems like a good suggestion to me.  The one downside is that it
requires adding the above text to the IKEv2 draft.  But this is a
small enough change that I believe we could do so during or before the
IETF last call process.  

Any objections with this approach?

						- Ted