[prev in list] [next in list] [prev in thread] [next in thread]
List: ipsec
Subject: Re: handling of ICMP error codes in 2401bis
From: Michael Richardson <mcr () sandelman ! ottawa ! on ! ca>
Date: 2002-04-16 14:16:26
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Markku" == Markku Savela <msa@burp.tkv.asdf.org> writes:
Markku> Few, somewhat delayed comments...
Markku> First, my view is
Markku> When an ICMP error message is generated from ESP protected incoming
Markku> packet, then the *ONLY* valid handling alternatives are
Markku> 1) do not send the ICMP error
Markku> 2) apply protection based on the selectors of the received packet
Markku> (as proposed by Michael Richardson)
As I read your message, I thought that you were going to make the point
that using a seperate (but differently keyed) SA for ICMP messages introduces
some interested new ways to get possible more known plaintext. Or that the
ICMP stream could be protected (by accident) by a much weaker cipher.
Markku> Implementing this logic for IPv4 is fairly simple and easy (I've done
Markku> it). However, IPv6 and extension headers will cause some
Markku> implementation difficulties, consider
Markku> IP ESP DOP EXT TCP ...
Markku> (e.g. DOP=Destination Option, EXT some other extension header). If
Markku> ICMP is generated in DOP (unknown options or something), there is a
Markku> problem with IPSEC finding out the proper selectors from TCP headers,
Markku> unless it also knows the format of EXT header (otherwise it will just
Markku> assume EXT as upper layer).
Yes, a problem.
Worse in IPv6, but the amount of returned header is much larger in v6.
Markku> Not really unsolvable, just adding some complexity. Adding a new
Markku> extension header implementation needs to provide a way for IPSEC to
Markku> skip over it...
That's pretty trivial to code.
Hardware to do that is also on the market.
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Finger me for keys
iQCVAwUBPLwyOIqHRg3pndX9AQEFHAQAzR5hE1vk+p0ZR/hkcFt3YvpGVb4bJsyU
Vaudms+mlUyBK5AS8el434Pu1p6qr3tVRmAuY79+bjQ4rDBnIg3AISM/XE+FGgqO
k6ebkzlhWnfp/yNOPnRvWnVOx3ol8NGsW4T11Xvp1WnGrGbojcYYgvwsBGOtIr8C
ZHvNAZHdgws=
=Q83f
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic