Re: Issue #83: Generation of ICMP responses for inbound packetrequiring IPSEC protection

[Stephen Kent <kent@bbn.com>]

Ted,

Issue #83 said:


Title:		DROP'd inbound packet -- missing required IPsec protection

Description
===========
Should there be a defined ICMP response to be used (when dropping an 
inbound packet that was not protected by IPsec) to indicate to the 
sender that IPsec was required by the receiver who dropped the packet?

There is no text in 2401bis for this because it seems generally 
impractical, at least as stated here.  It would require searching the 
SPD for each inbound packet to see if the packet matches an SPD entry 
that calls for application of IPsec. As stated above, this would be 
done even for packets that already map to a valid bypass SA! The SPD 
admin has a responsibility to create entries that do not conflict in 
this fashion.  A vendor might choose to provide a facility to examine 
an SPD and warn a user about such conflicts, but it makes more sense 
to do so when the SPD is being managed, than when traffic arrives.

If one restricted this to encompass only inbound packets that will be 
discarded, then we may still incur a non-trivial search penalty, and 
we allow an attacker to probe the implementation to determine SPD 
entries for IPsec-protected traffic, which hardly seems to be a good 
idea, in general. So, while we agree that there would be some benefit 
to notifying a peer when traffic is sent unprotected, when the 
traffic should have been protected, it seems to be a costly feature 
to implement and thus ought not be imposed as a requirement.

Steve