Re: ICMP and unknown extension headers?

Markku Savela Wed, 21 Jun 2000 16:38:14 -0700

> >   outbound: apply policy and IPSEC to the error packed based on the
> >   header of the received packet (except the src/dst swapped as if the
> >   packet were going out)
> 
> >   inbound: the policy check on ICMP error packets is based on the
> >   contained header (not the outer ICMP). Thus, if the contained packet
> >   would have required some IPSEC operations, the *whole* ICMP error
> >   should have been protected by this IPSEC.
> 
> But how can you examine the contained header, which might be
> encrypted, for the policy check?

I don't see any problem. Packet is in clear at this point already.

On inbound, the policy check is of course done after IPSEC decryption,
as with any other IPSEC packet. This applies to the ICMP's that come
from the other end point. If ICMP is generated on the route by some
router, then I would not try to decipher it too much (with truncation
and ESP, things get messy).
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page:                      http://playground.sun.com/ipng
FTP archive:                      ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
Re: ICMP and unknown extension headers?

Reply via email to
