[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Ipsec] Re: 2401bis -- Issue 91 -- handling ICMP error messages
Mohan,
>Karen,
>
>Just one clarification below..
>
[snip]
> > > - The phrase "to ensure that the enclosed packet is consistent
>> >with its source" could use some elaboration.
>>
>> Good point. Consistent --> the selector fields in the enclosed
>> packet match the selector fields for an existing SA.
>>
>You mean "the selector fields in the enclosed packet match the selector
>fields for an existing SA only if it is found". It is possible (and
>valid) to have an
>SA for protocol = icmp, type,code but not for the enclosed packet.
>
>-mohan
>
Yes, that is what I meant. However, a colleague has pointed
out that it would be better to say that the selector fields
of the enclosed (triggering) packet should be looked up in
the SPD (SPD-S and SPD-O, not SPD-I) as follows:
Checking in the SPD-S:
If a matching SPD-S entry is found (indicating that IPsec
protection is required), then the selector fields from the
triggering packet should be matched against the SAD entries
linked to the SPD-S entry to see if there is a currently
active SA. If no SA match is found, then the triggering
packet is unlikely to have been recently sent legitimately
and the ICMP packet MUST be dropped. If a matching SA is
found, then the ICMP packet passes this check and its
processing continues.
Checking in the SPD-O:
If a matching SPD-O entry is found that indicates DROP, then
the triggering packet should have been dropped, so the ICMP
packet MUST be dropped.
If a matching SPD-O entry is found that indicates BYPASS,
then the ICMP packet passes this check and its processing
continues.
If no matching SPD-O entry is found, the packet is unlikely
to have been recently sent legitimately and the ICMP packet
MUST be dropped.
Note that there is no way to detect the case where an ICMP
packet is being sent as an attack, the ICMP packet's selectors
match an active SA, and the packet it contains happens to match
a legitimate, active SA or match an SPD-O entry indicating
BYPASS.
Thank you,
Karen
_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec