'Re: handling of ICMP error codes in 2401bis'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipsec
Subject:    Re: handling of ICMP error codes in 2401bis
From:       Michael Richardson <mcr () sandelman ! ottawa ! on ! ca>
Date:       2002-04-16 14:16:26
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Markku" == Markku Savela <msa@burp.tkv.asdf.org> writes:
    Markku> Few, somewhat delayed comments...

    Markku> First, my view is

    Markku>  When an ICMP error message is generated from ESP protected incoming
    Markku>  packet, then the *ONLY* valid handling alternatives are

    Markku>   1) do not send the ICMP error

    Markku>   2) apply protection based on the selectors of the received packet
    Markku>      (as proposed by Michael Richardson)

  As I read your message, I thought that you were going to make the point
that using a seperate (but differently keyed) SA for ICMP messages introduces 
some interested new ways to get possible more known plaintext. Or that the
ICMP stream could be protected (by accident) by a much weaker cipher.

    Markku> Implementing this logic for IPv4 is fairly simple and easy (I've done
    Markku> it). However, IPv6 and extension headers will cause some
    Markku> implementation difficulties, consider

    Markku>   IP ESP DOP EXT TCP ...

    Markku> (e.g. DOP=Destination Option, EXT some other extension header). If
    Markku> ICMP is generated in DOP (unknown options or something), there is a
    Markku> problem with IPSEC finding out the proper selectors from TCP headers,
    Markku> unless it also knows the format of EXT header (otherwise it will just
    Markku> assume EXT as upper layer).

  Yes, a problem.
  Worse in IPv6, but the amount of returned header is much larger in v6.

    Markku> Not really unsolvable, just adding some complexity. Adding a new
    Markku> extension header implementation needs to provide a way for IPSEC to
    Markku> skip over it...

  That's pretty trivial to code.
  Hardware to do that is also on the market.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Finger me for keys

iQCVAwUBPLwyOIqHRg3pndX9AQEFHAQAzR5hE1vk+p0ZR/hkcFt3YvpGVb4bJsyU
Vaudms+mlUyBK5AS8el434Pu1p6qr3tVRmAuY79+bjQ4rDBnIg3AISM/XE+FGgqO
k6ebkzlhWnfp/yNOPnRvWnVOx3ol8NGsW4T11Xvp1WnGrGbojcYYgvwsBGOtIr8C
ZHvNAZHdgws=
=Q83f
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic