[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

2401bis -- Issue 91 -- handling ICMP error messages

To: ipsec@lists.tislabs.com
Subject: 2401bis -- Issue 91 -- handling ICMP error messages
From: Karen Seo <kseo@bbn.com>
Date: Tue, 13 Apr 2004 19:54:27 -0400
Cc: kseo@bbn.com
Sender: owner-ipsec@lists.tislabs.com

Folks,

Following up on a discussion at the end of February/early March re: 
how to handle ICMP traffic... We were talking about how to carry ICMP 
traffic via an SA between two IPsec implementations.  This did NOT 
involve ICMP traffic that might be bypassed or consumed on the 
ciphertext side of the IPsec boundary.  Also, there are two 
categories of ICMP traffic -- error messages (e.g., type = 
destination unreachable) and non-error messages (e.g., type = echo). 
This discussion covered ONLY error messages.  Non-error ICMP messages 
should be explicitly accounted for in the SPD.

Two approaches were discussed:
	1. The sender of ICMP error message uses the (return) SA for the
	   packet that resulted in the ICMP error message.  In this
	   discussion, the SA was assumed to not be configured to
	   carry ICMP error messages.
	2. The sender of ICMP error message uses an SA that is configured
	   to handle ICMP error messages of the relevant type and code.
	   Note that while this case was viewed in the discussion
	   as being a different/separate SA from case 1 above, this SA
	   could be the same as case 1, if that SA were configured to
	   carry ICMP error taffic (in addition to user traffic). Note
	   also that the ICMP Type and Code for this SA could be set to
	   ANY, if there is no need to restrict the type of ICMP traffic
	   that it is allowed to carry.

Here's what needs to happen at the sender and receiver, to make each case work:
	For case 1:
		a. The sender notices that the packet is an ICMP error
		   message and diverts it to slow path processing. It
		   examines the enclosed packet (or portion thereof),
		   swaps the source and destination addresses and
		   ports, and performs an SPD lookup to find the SA
		   to use.  Then the ICMP packet is sent via the
		   the selected SA.

		b. The receiver notices that a packet has failed the
		   selector check (e.g., the source address or the
		   protocol does not match).  The packet is diverted
		   to slow path processing where it is observed to be
		   an ICMP error message and the enclosed packet
		   is examined.  The source and destination addresses
		   and ports are swapped and matched against the
		   selectors for the SA via which the ICMP packet was
		   received.  If they match, the ICMP message is passed
		   on for further processing, e.g., PMTU check.

		This case assumes that no further access control checks
		are desired for the ICMP packet.

	For case 2:
		a. The sender extracts ICMP type and code and does an
		   SPD lookup to find an appropriate SA. (The Sender
		   only does fast path processing.)
		b. The receiver processes the ICMP packet on the SA
		   via which it was received, verifying that the ICMP
		   type and code of the message match the selectors
		   for the SA. If they do, then the receiver passes
		   the ICMP message to slow path processing.  The
		   selectors of the enclosed packet are extracted
		   and matched against the SPD-S cache, to ensure
		   that the enclosed packet is consistent with its
		   source.  If they do, the ICMP message is passed
		   along for further processing, e.g., PMTU check.
		   (The receiver does both fast path and slow path
		   processing.)

		Note that an ICMP packet may arrive on an SA unrelated
		to the SA used for the triggering packet. The sender
		will use the first SPD or SPD-S cache entry that it
		comes to that is configured to carry ICMP traffic of
		the given type and code. Even if the SA for the
		triggering packet is configured to carry ICMP traffic,
		there may be an earlier entry in the SPD that matches
		the ICMP message's type and code. So one has
		to search the outbound SPD-S cache to verify whether
		or not there's an extant SA for the enclosed
		(triggering) packet.

Proposed approach
	To simplify the processing done by the Sender (of the ICMP
	message) to find the SA to use for sending the ICMP message
	and to support access control checks on the ICMP messages
	(using ICMP Message Type and Code) by the Receiver,
	we propose to use the second approach.

	Note: In the second approach, there is no requirement that
	the SA used for the ICMP message be dedicated only to ICMP
	messages. To minimize the number of SAs between two IPsec
	systems, an administrator may wish to configure the SPD such
	that the ICMP messages may be combined with other traffic,
	i.e., by specifying SPD entries that carry both normal
	traffic and ICMP traffic.

Comments?  Thank you,
Karen

Follow-Ups:
- [Ipsec] Re: 2401bis -- Issue 91 -- handling ICMP error messages
  - From: Mark Duffy <mduffy@quarrytech.com>

Prev by Date: Welcome to the "Ipsec" mailing list
Next by Date: [Ipsec] (no subject)
Previous by thread: Welcome to the "Ipsec" mailing list
Next by thread: [Ipsec] Re: 2401bis -- Issue 91 -- handling ICMP error messages
Index(es):
- Date
- Thread