Re: ICMP and unknown extension headers?

Markku Savela Thu, 15 Jun 2000 13:30:31 -0700
> Uhh, SA's are unidirectional.  Perhaps you mean "send the ICMP packet
> using the same SA a normal, non-errored response would use.."

This is what I have been thinking that would make sense. At least in
IPv6 ICMP, the error messages are clearly distingquished. So I have
been wondering if it would be a good rule as follows:

 for IPv6 ICMP Error reports,

  outbound: apply policy and IPSEC to the error packed based on the
  header of the received packet (except the src/dst swapped as if the
  packet were going out)

  inbound: the policy check on ICMP error packets is based on the
  contained header (not the outer ICMP). Thus, if the contained packet
  would have required some IPSEC operations, the *whole* ICMP error
  should have been protected by this IPSEC.

Whether above would be useful, I don't know. I just know that in my
code it would be fairly simple change: when extracting the parameters
from the packet for selector search, I would  just have a branch for
ICMP error types to fetch the same values from the inner header...

-- msa
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page:                      http://playground.sun.com/ipng
FTP archive:                      ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
Re: ICMP and unknown extension headers?

Reply via email to
