[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ICMP messages and per-port selectors



Michael,

>The essential premise of the later documents it that an ICMP message
>such as a port-unreachable should be examined - the "quoted" IP packet
>examined, reversed (src<->dst address/ports) and an SA found for it.

Ultimately we may need to deal with ICMP messages arriving via an SA 
by looking at the "quoted" packet, but I would not suggest that one 
do it literally as described above. I worry about the delays and 
added complexity imposed on receivers re what we might consider "fast 
path" processing.  We need to pick out ICMP traffic to perform the 
more in depth inspection this traffic requires. That observation 
motivated the idea of a separate SA for all ICMP traffic between two 
IPsec peers, where we can make first order decisions about accepting 
or rejecting this traffic based on message type and code. Then, for 
acceptable traffic, we can look inside to see what we have in the way 
of a returned packet and what to do with it.  We're not guaranteed 
that the 64-bytes we get with an IPv4 ICMP message will have porty 
fields, for example, so it is not always as easy as reversing the 
addresses and ports to match against an extant SA.

Steve