Re: IPv6 Neighbour Solicitation messages and IPsec

[Stephen Kent <kent@xxxxxxx>]

Jari,

> Stefan Schlott wrote:
>
>  > functions of it) for the IPv6 stack of Linux, I finally allowed all ICMP
>  > messages to pass unprocessed - securing ICMP broke too many things; this
>  > is certainly not an optimal solution, but it'll have to be sufficient for
>  > the moment. I don't think it will make much sense to process some kind
>
> This is a good first approximation to get things going. But I think 
> it would be
> useful to try and understand the ICMP issue in a bit more detail. I'm
> thinking of a document that specifies how each ICMPv6 message should be
> treated in terms of IPsec. There are a bunch of interesting cases.
> For instance,
>
> 	* Ping. This is very useful for testing IPsec connections as well,
> 	  having it not inside IPsec would lose that functionality.
> 	  Not to mention the fact that on my computer, ping6 seems to
> 	  be the *only* IPv6 application.
>
> 	* Path MTU discovery. Consider the following case:
>
> 	   (N1)----(VPNGW1)----(R1)----(VPNGW2)-----(R2)----(N2)
>
> 	  Assume N1 wants to send traffic to N2, part of the path
> 	  goes through an insecure network part, secured using
> 	  VPNGWs 1 and 2. And now Path MTU discovery is in
> 	  progress between N1 and N2. Assume the smallest MTU
> 	  is at R2. Then an ICMPv6 Packet Too Big message must be
> 	  sent back towards the VPNGW2. Should that message
> 	  go to the tunnel? I think it should.
There is nothing to prohibit transmission of this ICMP message via 
the security gateways, if appropriate SPD entries exist.