[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Ipsec] Re: 2401bis -- Issue 91 -- handling ICMP error messages

To: "Mohan Parthasarathy" <mohanp@sbcglobal.net>
Subject: [Ipsec] Re: 2401bis -- Issue 91 -- handling ICMP error messages
From: kseo@bbn.com
Date: Thu, 13 May 2004 22:57:03 -0400
Cc: <ipsec@ietf.org>, "Mark Duffy" <mduffy@quarrytech.com>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: IP Security <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=unsubscribe>
Sender: ipsec-admin@ietf.org

Mohan,

>Karen,
>
>Just one clarification below..
>

[snip]

>  > >  -  The phrase "to ensure that the enclosed packet is consistent
>>  >with its source" could use some elaboration.
>>
>>  Good point.  Consistent --> the selector fields in the enclosed
>>  packet match the selector fields for an existing SA.
>>
>You mean "the selector fields in the enclosed packet match the selector
>fields for an existing SA only if it is found". It is possible (and 
>valid) to have an
>SA for protocol = icmp, type,code but not for the enclosed packet.
>
>-mohan
>
	Yes, that is what I meant.  However, a colleague has pointed
	out that it would be better to say that the selector fields
	of the enclosed (triggering) packet should be looked up in
	the SPD (SPD-S and SPD-O, not SPD-I) as follows:

	Checking in the SPD-S:

	   If a matching SPD-S entry is found (indicating that IPsec
	   protection is required), then the selector fields from the
	   triggering packet should be matched against the SAD entries
	   linked to the SPD-S entry to see if there is a currently
	   active SA.  If no SA match is found, then the triggering
	   packet is unlikely to have been recently sent legitimately
	   and the ICMP packet MUST be dropped. If a matching SA is
	   found, then the ICMP packet passes this check and its
	   processing continues.

	Checking in the SPD-O:

	   If a matching SPD-O entry is found that indicates DROP, then
	   the triggering packet should have been dropped, so the ICMP
	   packet MUST be dropped.

	   If a matching SPD-O entry is found that indicates BYPASS,
	   then the ICMP packet passes this check and its processing
	   continues.

	   If no matching SPD-O entry is found, the packet is unlikely
	   to have been recently sent legitimately and the ICMP packet
	   MUST be dropped.

	Note that there is no way to detect the case where an ICMP
	packet is being sent as an attack, the ICMP packet's selectors
	match an active SA, and the packet it contains happens to match
	a legitimate, active SA or match an SPD-O entry indicating
	BYPASS.


Thank you,
Karen

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

Prev by Date: Re: [Ipsec] draft-ietf-ipsec-rfc2401bis-02.txt
Next by Date: [Ipsec] RE: Protected message
Previous by thread: Re: [Ipsec] Re: 2401bis -- Issue 91 -- handling ICMP error messages
Next by thread: [Ipsec] Re: Outbound SA Bundle processing
Index(es):
- Date
- Thread