Henry Spencer writes:
> On Wed, 27 Sep 2000, Stefan Schlott wrote:
> > ..."Destination Unreachable Message
> > Code 1 - communication with destination administratively prohibited"
> > Should this message be sent when a packet does not conform to the local
> > security policy database (spd), or should such packets be silently dis-
> > carded?
>
> The central question is whether the ICMP message is believable.
>
> If it will flow via an authenticated path (e.g. an IPsec tunnel) or via a
> physically-secure path (e.g. on the "interior" side of a security gateway,
> where plaintext communication is normal), then sending it is probably
> wise... although administrators might want to be able to control that.
>
> If it will flow via an insecure path, then what good is it? The receiver
> can't trust it to tell the truth. At most, it might give the receiver a
> hint that communications difficulties are occurring, but the receiver
> cannot trust that report without confirming it by other means.
This strikes me as completely backward: the sender should *always*
send it. It is the *receiver's* job to determine whether it is
believable. Having the sender second guess what the receiver
should and should not discard sounds like a great way to cause
an interoperability deadlock.
A receiving end system that has an IPsec Sg somewhere in front of it
is not necessarily able to know whether the sender is a secure
source. I interpret Henry's advice in the context of that SG, and
there is seems appropriate.