Re: [Ipsec] Re: 2401bis -- Issue 91 -- handling ICMP error messages

[Stephen Kent <kent@bbn.com>]

At 6:08 PM -0400 5/10/04, Mark Duffy wrote:
>Hi Steve,
>
>I do not question that the checks on the icmp payload packet would 
>provide an added measure of security -- I agree that they would.
>
>However I would like to understand where we are drawing the line 
>about what an  "IPsec implementation" should check.  Should it check 
>for invalid combinations of control bits in a tcp header (e.g. SYN 
>and FIN)?  Or for packets with src addr == dest addr?   Etc.
>
>Is there something fundamentally different about checking the 
>payload of an ICMP packet that is sent on an SA negotiated for 
>protocol=icmp than there is about doing the other checks I mentioned?
>
>--Mark

yes, Mark, there is. A single ICMP error message can disable all 
communication from the host that receives it to anther host or net, 
something a set of bad TCP control flags cannot do.

Steve

P.S. a reasonable SPD WOULD catch your source addrs = dest addr 
example in most cases since, to be delivered, the dest address would 
have to be behind the SG and that would not be a valid source address 
to traffic.


_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec