[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Issue 83 will be withdrawn

To: "'Angelos D. Keromytis'" <angelos@cs.columbia.edu>, <ipsec@lists.tislabs.com>, "'Stephen Kent'" <kent@bbn.com>
Subject: RE: Issue 83 will be withdrawn
From: "William Dixon" <ietf-wd@v6security.com>
Date: Thu, 1 Apr 2004 17:06:59 -0500
In-reply-to: <200403301717.i2UHHhCI024980@coredump.cs.columbia.edu>
Sender: owner-ipsec@lists.tislabs.com

This concerns me greatly. It was originally a "MUST FIX". Steve, can we have
an explanation of why this was withdrawn and what mechanisms should be used
instead ? I don't see solutions in Issue 91 to compensate.

What was the TCP/IP or IPsec deployment purpose of those ICMP codes ?

Thanks,
Wm


Reference:

Issue 83:

Description
===========
Should there be a defined ICMP response to be used (when
dropping an inbound packet that was not protected by IPsec)
to indicate to the sender that IPsec was required by the
receiver who dropped the packet?

Proposed approach
=================
Add text saying something along the lines of...

"If an IPsec system receives an inbound (unprotected) packet
for which the matching SPD entry requires IPsec protection,
it MUST drop the packet.  It SHOULD also be capable of
generating and sending an ICMP message to indicate to the
sender that the receiver dropped the packet.  The reason
SHOULD be recorded in the audit log.

IPv4	Type = 3 (destination unreachable)
	Code = 13 (Communication Administratively 
                   Prohibited)

IPv6	Type = 1 (destination unreachable)
	Code = 1 (Communication with destination 
                  administratively prohibited

Note that an attacker could send packets with a spoofed
source address, W.X.Y.Z,  to an IPsec entity causing it to
send ICMP messages to W.X.Y.Z.  This creates an opportunity
to use an IPsec receiver in a DoS attack. To address this,
the implementation SHOULD provide management controls to
allow an administrator to configure an IPsec implementation
to send or not send the above ICMP message, or to rate limit
the transmission of such ICMP responses.


> -----Original Message-----
> From: owner-ipsec@lists.tislabs.com 
> [mailto:owner-ipsec@lists.tislabs.com] On Behalf Of Angelos 
> D. Keromytis
> Sent: Tuesday, March 30, 2004 12:18 PM
> To: ipsec@lists.tislabs.com
> Subject: Issue 83 will be withdrawn
> 
> 
> https://roundup.machshav.com/ipsec/issue83
> 
> Issue 83 will be withdrawn and marked closed, unless someone 
> disagrees by next Tuesday.
> -Angelos
> 
>

Follow-Ups:
- RE: Issue 83 will be withdrawn
  - From: Stephen Kent <kent@bbn.com>

Prev by Date: mail list blocked
Next by Date: RE: 2nd try
Previous by thread: Re: mail list blocked
Next by thread: RE: Issue 83 will be withdrawn
Index(es):
- Date
- Thread