[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ICMP messages and per-port selectors

To: IPsec WG <ipsec@lists.tislabs.com>
Subject: Re: ICMP messages and per-port selectors
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Sun, 29 Feb 2004 09:36:16 -0500
Cc: Stephen Kent <kent@bbn.com>
In-reply-to: Message from Stephen Kent <kent@bbn.com> of "Wed, 25 Feb 2004 13:38:59 EST." <p06020409bc6292cdbc8b@[10.1.187.100]>
References: <29398.1077646869@marajade.sandelman.ottawa.on.ca> <p06020409bc6292cdbc8b@[10.1.187.100]>
Sender: owner-ipsec@lists.tislabs.com

-----BEGIN PGP SIGNED MESSAGE-----

>>>>> "Stephen" == Stephen Kent <kent@bbn.com> writes:
    >> The essential premise of the later documents it that an ICMP
    >> message such as a port-unreachable should be examined - the
    >> "quoted" IP packet examined, reversed (src<->dst address/ports)
    >> and an SA found for it.

    Stephen> Ultimately we may need to deal with ICMP messages arriving
    Stephen> via an SA by looking at the "quoted" packet, but I would
    Stephen> not suggest that one do it literally as described above. I

  That's fine.

    Stephen> returned packet and what to do with it.  We're not
    Stephen> guaranteed that the 64-bytes we get with an IPv4 ICMP
    Stephen> message will have porty fields, for example, so it is not
    Stephen> always as easy as reversing the addresses and ports to
    Stephen> match against an extant SA.

  No, but packets that are too small are probably also *not* useful to the
original sender. While a human might guess what they mean from tcpdump,
they won't get returned to any application that might be looking for the
hint that they should failover, etc.

  I generally like the idea of a seperate SA, but I don't think it
scales very well. I don't see the fast-path argument. The ICMP messages
that arrive will fail the fast-path checks - that's fine. 

  Like any packet that failed the fast-path checks, they should then go
somewhere to be logged/audited. That's already the slowpath, so no
difference. In fact, doing it this way gives us a better guarantee that
the fast-path is implemented/tested correctly, since we would regularly
be excersizing the slow-path.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr@xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQEH43oqHRg3pndX9AQEaAQQA7IFd4l6MhW/yepVyiF5PQxJkDM6StExv
sbBp0xDPHwem6X9ZqbfSfeSFKQ+HBCfNF9IOyV3xY1mB3PkrQcZrCjoqlSmmK4iC
872nhdzQUUWf+VFrLYN7zRFfUOaF/vBKoqtQES/5bmRQMrKgywRp/uXkhfxaa3N0
8sI4ETjOntk=
=CwA3
-----END PGP SIGNATURE-----

References:
- ICMP messages and per-port selectors
  - From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
- Re: ICMP messages and per-port selectors
  - From: Stephen Kent <kent@bbn.com>

Prev by Date: Re: IANA document
Next by Date: IPsec -- new versions of AH and ESP
Previous by thread: Re: ICMP messages and per-port selectors
Next by thread: Traffic selectors, fragments, ICMP messages and security policy problems
Index(es):
- Date
- Thread