[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Issue #83: Generation of ICMP responses for inbound packetrequiring IPSEC protection
Ted,
Issue #83 said:
Title: DROP'd inbound packet -- missing required IPsec protection
Description
===========
Should there be a defined ICMP response to be used (when dropping an
inbound packet that was not protected by IPsec) to indicate to the
sender that IPsec was required by the receiver who dropped the packet?
There is no text in 2401bis for this because it seems generally
impractical, at least as stated here. It would require searching the
SPD for each inbound packet to see if the packet matches an SPD entry
that calls for application of IPsec. As stated above, this would be
done even for packets that already map to a valid bypass SA! The SPD
admin has a responsibility to create entries that do not conflict in
this fashion. A vendor might choose to provide a facility to examine
an SPD and warn a user about such conflicts, but it makes more sense
to do so when the SPD is being managed, than when traffic arrives.
If one restricted this to encompass only inbound packets that will be
discarded, then we may still incur a non-trivial search penalty, and
we allow an attacker to probe the implementation to determine SPD
entries for IPsec-protected traffic, which hardly seems to be a good
idea, in general. So, while we agree that there would be some benefit
to notifying a peer when traffic is sent unprotected, when the
traffic should have been protected, it seems to be a costly feature
to implement and thus ought not be imposed as a requirement.
Steve