RE: 3rd try -- 2401bis issue 91 -- handling ICMP error messages

[Stephen Kent <kent@bbn.com>]

>
>It seems to me that in general the description of handling
>ICMP messages must be divorced from the presumption of any
>a-priori knowledge on the part of the IPsec implementation as to which
>networks are red and which are black, or which hosts are trusted
>and which aren't.

Mike,

In general, IPsec provides a barrier wihtin a device (host, BITW, or 
SG), with red (friendly) interfaces on one side of the barrier and 
black (hostile) interfaces on the other. The SPD controls what we 
allow across the barrier, and whether we protect it or not.

If one wants to provide security services for each, individual 
interface, then one needs to think of applying IPsec to each 
interface independently, nominally replicating the Ipsec instance for 
each interface.  For example, if one has a security gateway with four 
interfaces, you could out IPsec on each interface card or you could 
have one Ipsec instance for the device as a whole, consistent with 
the model.

In most cases, the single instance, red/black model works pretty well.

the terms "trusted" and "untrusted" are not ones I like to use here. 
for example, we may establish a tunnel to an SG at a site, but that 
does not mean that we just trust the site. We apply selector checks 
on the packets that emerge from the tunnel precisely because we do 
not just trust the site or the remote SG.

Steve