Network Working Group Michael Richardson mcr@sandelman.ottawa.on.ca
INTERNET-DRAFT Sandelman Software Works
<draft-ietf-ipsec-icmp-handle-v4-00.txt> v1.0, September 1998
Expires in six months
IPv4 ICMP messages and IPsec security gateways
Status of This memo
This document is an Internet-Draft. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute
working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as ``work in progress.''
To learn the current status of any Internet-Draft, please check
the ``1id-abstracts.txt'' listing contained in the Internet-Drafts
Shadow Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe),
munnari.oz.au (Pacific Rim), ftp.ietf.org (US East Coast),
or ftp.isi.edu (US West Coast).
Abstract
This document enumerates the list of ICMP messages that a security gate-
way may receive and provides an analysis of if and how a gateway should
handle them. Three options types of behaviour are enumerated: discard,
MAY be forwarded, and MUST be forwarded.
Michael Richardson mcr@sandelman.ottawa.on.ca [page 1]
INTERNET-DRAFT v1.0, September 1998
Table of Contents
1. Introduction to the problem . . . . . . . . . . . . . . . . . . 4
2. ICMP Messages HEADER-2 . . . . . . . . . . . . . . . . . . . . . 4
2.1.1. All types HEADER-4 . . . . . . . . . . . . . . . . . . . 4
2.1.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 4
2.1.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . . 4
2.2. Destination Unreachable . . . . . . . . . . . . . . . . . . 4
2.2.1. Host Unreachable . . . . . . . . . . . . . . . . . . . . 4
2.2.1.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 5
2.2.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . . 5
2.2.2. Comm. w/Dest. Host is Administratively Prohibited . . . 5
2.2.2.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2.2.2. Black . . . . . . . . . . . . . . . . . . . . . . . 5
2.2.2.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . . 5
2.2.3. Destination Host Unreachable for Type of Service . . . . 5
2.2.3.2. Black . . . . . . . . . . . . . . . . . . . . . . . 5
2.2.3.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . . 6
2.2.4. Communication Administratively Prohibited . . . . . . . 6
2.2.4.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 6
2.2.4.2. Black . . . . . . . . . . . . . . . . . . . . . . . 6
2.2.4.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . . 6
2.2.5. Precedence cutoff in effect . . . . . . . . . . . . . . 6
2.2.5.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 6
2.2.5.2. Black . . . . . . . . . . . . . . . . . . . . . . . 6
2.2.5.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . . 6
2.3. RFC792 Source Quench . . . . . . . . . . . . . . . . . . . . 6
2.3.1. All types . . . . . . . . . . . . . . . . . . . . . . . 6
2.3.1.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 6
2.3.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 6
2.3.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . . 7
2.4. Redirect. . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.4.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 7
2.4.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . . 7
2.4.2. Redirect Datagram for the Type of Service and Host . . . 7
2.4.2.2. Black . . . . . . . . . . . . . . . . . . . . . . . 7
2.4.2.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . . 7
2.5. Alternate Host Address . . . . . . . . . . . . . . . . . . . 7
2.5.1.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 7
2.5.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 8
2.5.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . . 8
2.6. Echo Request . . . . . . . . . . . . . . . . . . . . . . . . 8
2.6.1.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 8
2.6.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 8
2.6.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . . 8
2.7. Time Exceeded . . . . . . . . . . . . . . . . . . . . . . . 8
2.7.1.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 8
2.7.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 8
2.7.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . . 8
2.8. Parameter Problem . . . . . . . . . . . . . . . . . . . . . 8
2.8.1.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 8
2.8.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 9
2.8.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . . 9
2.9. Timestamp. . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.9.1. All type codes . . . . . . . . . . . . . . . . . . . . . 9
2.9.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 9
2.9.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . . 9
2.10. Timestamp Reply . . . . . . . . . . . . . . . . . . . . . . 9
2.10.1. All type codes . . . . . . . . . . . . . . . . . . . . 9
2.10.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 9
2.10.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . 9
2.11. Information Request . . . . . . . . . . . . . . . . . . . . 9
2.11.1. All type codes . . . . . . . . . . . . . . . . . . . . 10
2.11.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 10
2.11.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . 10
2.12. Information Reply . . . . . . . . . . . . . . . . . . . . . 10
2.12.1. All type codes . . . . . . . . . . . . . . . . . . . . 10
2.12.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 10
2.12.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . 10
2.13. Address Mask Request . . . . . . . . . . . . . . . . . . . 10
2.13.1.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 10
2.13.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 10
2.13.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . 10
2.14. Traceroute. . . . . . . . . . . . . . . . . . . . . . . . . 11
2.14.1.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 11
2.14.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 11
2.14.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . 11
2.15. Datagram Conversion Error . . . . . . . . . . . . . . . . . 11
2.15.1.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 11
2.15.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 11
2.15.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . 11
2.16. Mobile Host Redirect . . . . . . . . . . . . . . . . . . . 11
2.16.1.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 11
2.16.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 11
2.16.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . 11
2.17. IPv6 Where-Are-You . . . . . . . . . . . . . . . . . . . . 12
2.17.1.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 12
2.17.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 12
2.17.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . 12
2.18. IPv6 I-Am-Here . . . . . . . . . . . . . . . . . . . . . . 12
2.18.1.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 12
2.18.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 12
2.18.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . 12
2.19. Mobile Registration Request . . . . . . . . . . . . . . . . 12
2.19.1.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 12
2.19.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 12
2.19.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . 12
2.20. Mobile Registration Reply . . . . . . . . . . . . . . . . . 13
2.20.1.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 13
2.20.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 13
2.20.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . 13
2.21. Domain Name Request . . . . . . . . . . . . . . . . . . . . 13
2.21.1.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 13
2.21.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 13
2.21.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . 13
2.22. Domain Name Reply . . . . . . . . . . . . . . . . . . . . . 13
2.22.1.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 13
2.22.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 13
2.22.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . 13
2.23. SKIP . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.23.1.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 14
2.23.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 14
2.23.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . 14
2.24. Photoris . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.24.1. All type codes . . . . . . . . . . . . . . . . . . . . 14
2.24.1.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 14
2.24.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 14
2.24.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . 14
3. Security Considerations: . . . . . . . . . . . . . . . . . . . . 14
4. References: . . . . . . . . . . . . . . . . . . . . . . . . . . 14
4.1. Author's Address . . . . . . . . . . . . . . . . . . . . . . 15
4.2. Expiration and File Name . . . . . . . . . . . . . . . . . . 16
--toc--
--toc--
--toc--
--toc--
--toc--
--toc--
--toc--
--toc--
--toc--
--toc--
--toc--
--toc--
1. Introduction to the problem
An introduction to the porblem and terminology for this document is
defined in ICMPIPSEC.
This document describes what option should be implemented for each ICMP
message type.
2. ICMP Messages HEADER-2
2.1. Echo Reply
Type 0, defined in RFC-0792.
2.1.1. All types HEADER-4
2.1.1.1. Red
Discard.
2.1.1.2. Black
Forward using ICMP SA.
2.1.1.3. Tunnel
Forward if arrived via ICMP SA.
2.2. Destination Unreachable
Type 3, defined in RFC-0792.
Michael Richardson mcr@sandelman.ottawa.on.ca [page 4]
INTERNET-DRAFT v1.0, September 1998
2.2.1. Host Unreachable
Code 1.
2.2.1.1. Red
Discard. Heuristically, it may be useful to accelerate the timeout of
any key management, as these messages may be accurate.
2.2.1.2. Black
Send via ISAKMP Notify message. No communication is possible to this
node. This is done via ISAKMP so that the originating gateway G1 can
cache this connectivity information, and avoid expending effort setting
up futile SAs for hosts that are not responding. This cache must
timeout.
2.2.1.3. Tunnel
Forward if it arrived via implicit ICMP.
2.2.2. Comm. w/Dest. Host is Administratively Prohibited
Code 10.
2.2.2.1. Red
Discard. Heuristically, it may be useful to accelerate the timeout of
any key management, as these messages may be accurate.
2.2.2.2. Black
Discard. It may be necessary to traverse additional firewalls/gateways.
If permitted by local policy, an attempt to set up a linked SA may be
made.
2.2.2.3. Tunnel
Forward if it arrived via implicit ICMP. It may be required that the end
host (E1) establish an end-to-end SA with E2.
2.2.3. Destination Host Unreachable for Type of Service
Code 12 HEADER-4
2.2.3.1. Red
Discard. Heuristically, it be a sign that RSVP or another resource
reservation protocol should have been used to get an appropriate QoS. It
may also be a sign that an attempt to get/use a particular QoS was
inappropriate. It should be logged.
Michael Richardson mcr@sandelman.ottawa.on.ca [page 5]
INTERNET-DRAFT v1.0, September 1998
2.2.3.2. Black
Forward via implicit ICMP.
2.2.3.3. Tunnel
Forward if it arrived via implicit ICMP.
2.2.4. Communication Administratively Prohibited
Code 13. From RFC1812
2.2.4.1. Red
Discard. ??
2.2.4.2. Black
Discard. ??
2.2.4.3. Tunnel
Discard. ??
2.2.5. Precedence cutoff in effect
Code 15. From RFC1812
2.2.5.1. Red
Discard. ??
2.2.5.2. Black
Discard. ??
2.2.5.3. Tunnel
Discard. ??
2.3. RFC792 Source Quench
Type 4. From RFC792
2.3.1. All types
2.3.1.1. Red
Discard. ??
2.3.1.2. Black
Discard. ??
Michael Richardson mcr@sandelman.ottawa.on.ca [page 6]
INTERNET-DRAFT v1.0, September 1998
2.3.1.3. Tunnel
Discard. ??
2.4. Redirect.
Type 5. From RFC792. HEADER-3
2.4.1. Redirect Datagram for the Host
Code 1. RFC792 HEADER-4
2.4.1.1. Red
Discard. This may be an attempt to cause a denial of service attack.
2.4.1.2. Black
Discard. It may be reasonable to pay attention to this datagram locally.
2.4.1.3. Tunnel
Forward if it arrived via an implicit ICMP SA. It may be that future
load sharing systems may attempt to have an end host switch its route to
another security gateway.
2.4.2. Redirect Datagram for the Type of Service and Host
Code 3. RFC792 HEADER-4
2.4.2.1. Red
Discard. This may be an attempt to cause a denial of service attack.
2.4.2.2. Black
Do not forward. It may be reasonable to pay attention to this datagram
locally.
2.4.2.3. Tunnel
Discard. This may be an attempt to cause a denial of service attack.
2.5. Alternate Host Address
Type 5. HEADER-3
2.5.1. All types
2.5.1.1. Red
Discard.
Michael Richardson mcr@sandelman.ottawa.on.ca [page 7]
INTERNET-DRAFT v1.0, September 1998
2.5.1.2. Black
Discard.
2.5.1.3. Tunnel
Discard.
2.6. Echo Request
Type 8. HEADER-3
2.6.1. All type codes
2.6.1.1. Red
Discard.
2.6.1.2. Black
Forward via explicit ICMP SA.
2.6.1.3. Tunnel
Forward if arrived via implicit ICMP SA.
2.7. Time Exceeded
Type 11. HEADER-3
2.7.1. All type codes
2.7.1.1. Red
Discard. Heuristically, this is a sign that one should perform
additional PMTU probes.
2.7.1.2. Black
Forward via implicit ICMP SA.
2.7.1.3. Tunnel
Forward if it arrived via implicit ICMP SA. It may be reasonable to
modify the maximum packet size to account for the SA's overhead if the
total is larger than the PMTU from G1 to G2.
2.8. Parameter Problem
Type 12. RFC792, RFC1108. HEADER-3
2.8.1. All type codes
Michael Richardson mcr@sandelman.ottawa.on.ca [page 8]
INTERNET-DRAFT v1.0, September 1998
2.8.1.1. Red
Discard.
2.8.1.2. Black
Forward via implicit ICMP.
2.8.1.3. Tunnel
Forward if it arrived via implicit ICMP.
2.9. Timestamp.
2.9.1. All type codes
Type 13. RFC792. HEADER-4
2.9.1.1. Red
Discard. ??
2.9.1.2. Black
Discard. ??
2.9.1.3. Tunnel
Discard. ??
2.10. Timestamp Reply
2.10.1. All type codes
Type 14. RFC792 HEADER-4
2.10.1.1. Red
Discard. ??
2.10.1.2. Black
Discard. ??
2.10.1.3. Tunnel
Discard. ??
Michael Richardson mcr@sandelman.ottawa.on.ca [page 9]
INTERNET-DRAFT v1.0, September 1998
2.11. Information Request
2.11.1. All type codes
Type 15. RFC792 HEADER-4
2.11.1.1. Red
Discard. ??
2.11.1.2. Black
Discard. ??
2.11.1.3. Tunnel
Discard. ??
2.12. Information Reply
2.12.1. All type codes
Type 16. RFC792 HEADER-4
2.12.1.1. Red
Discard. ??
2.12.1.2. Black
Discard. ??
2.12.1.3. Tunnel
Discard. ??
2.13. Address Mask Request
Type 17. See RFC950 HEADER-3
2.13.1. All type codes
2.13.1.1. Red
Discard. ??
2.13.1.2. Black
Discard. ??
2.13.1.3. Tunnel
Discard. ??
Michael Richardson mcr@sandelman.ottawa.on.ca [page 10]
INTERNET-DRAFT v1.0, September 1998
2.14. Traceroute.
Type 30. See RFC1393 HEADER-3
2.14.1. All type codes
2.14.1.1. Red
Discard. ??
2.14.1.2. Black
Discard. ??
2.14.1.3. Tunnel
Discard. ??
2.15. Datagram Conversion Error
Type 31. See RFC1475 HEADER-3
2.15.1. All type codes
2.15.1.1. Red
Discard. ??
2.15.1.2. Black
Discard. ??
2.15.1.3. Tunnel
Discard. ??
2.16. Mobile Host Redirect
Type 32. See Johnson HEADER-3
2.16.1. All type codes
2.16.1.1. Red
Discard. ??
2.16.1.2. Black
Discard. ??
2.16.1.3. Tunnel
Discard. ??
Michael Richardson mcr@sandelman.ottawa.on.ca [page 11]
INTERNET-DRAFT v1.0, September 1998
2.17. IPv6 Where-Are-You
Type 33. Simpson HEADER-3
2.17.1. All type codes
2.17.1.1. Red
Discard. ??
2.17.1.2. Black
Discard. ??
2.17.1.3. Tunnel
Discard. ??
2.18. IPv6 I-Am-Here
Type 34. Simpson HEADER-3
2.18.1. All type codes
2.18.1.1. Red
Discard. ??
2.18.1.2. Black
Discard. ??
2.18.1.3. Tunnel
Discard. ??
2.19. Mobile Registration Request
Type 35. Simpson HEADER-3
2.19.1. All type codes
2.19.1.1. Red
Discard. ??
2.19.1.2. Black
Discard. ??
2.19.1.3. Tunnel
Discard. ??
Michael Richardson mcr@sandelman.ottawa.on.ca [page 12]
INTERNET-DRAFT v1.0, September 1998
2.20. Mobile Registration Reply
Type 36. Simpson HEADER-3
2.20.1. All type codes
2.20.1.1. Red
Discard. ??
2.20.1.2. Black
Discard. ??
2.20.1.3. Tunnel
Discard. ??
2.21. Domain Name Request
Type 37. Simpson HEADER-3
2.21.1. All type codes
2.21.1.1. Red
Discard. ??
2.21.1.2. Black
Discard. ??
2.21.1.3. Tunnel
Discard. ??
2.22. Domain Name Reply
Type 38. Simpson HEADER-3
2.22.1. All type codes
2.22.1.1. Red
Discard. ??
2.22.1.2. Black
Discard. ??
2.22.1.3. Tunnel
Discard. ??
Michael Richardson mcr@sandelman.ottawa.on.ca [page 13]
INTERNET-DRAFT v1.0, September 1998
2.23. SKIP
Type 39. See Markson HEADER-3
2.23.1. All type codes
2.23.1.1. Red
Discard. ??
2.23.1.2. Black
Discard. ??
2.23.1.3. Tunnel
Discard. ??
2.24. Photoris
Type 40. See Simpson
2.24.1. All type codes
2.24.1.1. Red
Discard. ??
2.24.1.2. Black
Discard. ??
2.24.1.3. Tunnel
Discard. ??
3. Security Considerations:
This entire document discusses a security protocol.
4. References:
RFC1825
R. Atkinson, "Security Architecture for the Internet Protocol",
RFC-1825, August 1995.
ICMPIPSEC
M. Richardson, "Options for handling ICMP messages that must be
forwarded" work in progress: draft-ietf-ipsec-icmp-options-00.txt,
September 1998
ICMPIPSECV4
M. Richardson, "IPv4 ICMP messages and IPsec security gateways"
Michael Richardson mcr@sandelman.ottawa.on.ca [page 14]
INTERNET-DRAFT v1.0, September 1998
work in progress: draft-ietf-ipsec-icmp-handle-v4.txt, September
1998
ICMPIPSECV6
M. Richardson, "IPv6 ICMP messages and IPsec security gateways"
work in progress: draft-ietf-ipsec-icmp-handle-v6-00.txt,
September 1998
ARCHSEC
R. Atkinson, S. Kent, "Security Architecture for the Internet
Protocol", work in progress: draft-ietf-ipsec-arch-sec-07.txt,
July 1998
RFC-1191
J. Mogul, S. Deering, "Path MTU Discovery", RFC-1191, November
1990.
KSM-AH
New AH draft.
metrics
I. M. ISP, "How fast can it go?", draft-ietf-metrics-00.txt, work
in progress: Jan. 20, 1997
Gupta97-1
V. Gupta, S. Glass, "Firewall Traversal for Mobile IP: Goals and
Requirements", draft-ietf-mobileip-ft-req-00.txt, work in
progress: Jan. 20, 1997
Gupta97-2
V. Gupta, S. Glass, "Firewall Traversal for Mobile IP: Guidelines
for Firewalls and Mobile IP entities", draft-ietf-mobileip-
firewall-trav-00.txt, work in progress: March 17, 1997
RFC1256
S. Deering, "ICMP Router Discovery Messages." Sep-01-1991.
RFC1885
A. Conta, S. Deering, "Internet Control Message Protocol (ICMPv6)
for the Internet Protocol Version 6 (IPv6)." December 1995.
RFC791
J. Postel, "Internet Protocol." Sep-01-1981.
RFC792
J. Postel, "Internet Control Message Protocol.", Sep-01-1981.
RFC950
J.C. Mogul, J. Postel, "Internet Standard Subnetting Procedure."
Aug-01-1985.
4.1. Author's Address
Michael Richardson mcr@sandelman.ottawa.on.ca [page 15]
INTERNET-DRAFT v1.0, September 1998
Michael C. Richardson
Solidum Systems Corporation
940 Belfast Road
Ottawa, ON K1G 4A2
Canada
Telephone: +1 613 244-4804
EMail: mcr@sandelman.ottawa.on.ca
4.2. Expiration and File Name
This draft expires February 1999
Its file name is draft-ipsec-icmp-handle-v4-00.txt
Michael Richardson mcr@sandelman.ottawa.on.ca [page 16]
