Network Working Group Michael Richardson mcr@sandelman.ottawa.on.ca INTERNET-DRAFT Sandelman Software Works v1.0, September 1998 Expires in six months IPv4 ICMP messages and IPsec security gateways Status of This memo This document is an Internet-Draft. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as ``work in progress.'' To learn the current status of any Internet-Draft, please check the ``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe), munnari.oz.au (Pacific Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast). Abstract This document enumerates the list of ICMP messages that a security gate- way may receive and provides an analysis of if and how a gateway should handle them. Three options types of behaviour are enumerated: discard, MAY be forwarded, and MUST be forwarded. Michael Richardson mcr@sandelman.ottawa.on.ca [page 1] INTERNET-DRAFT v1.0, September 1998 Table of Contents 1. Introduction to the problem . . . . . . . . . . . . . . . . . . 4 2. ICMP Messages HEADER-2 . . . . . . . . . . . . . . . . . . . . . 4 2.1.1. All types HEADER-4 . . . . . . . . . . . . . . . . . . . 4 2.1.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 4 2.1.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . . 4 2.2. Destination Unreachable . . . . . . . . . . . . . . . . . . 4 2.2.1. Host Unreachable . . . . . . . . . . . . . . . . . . . . 4 2.2.1.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 5 2.2.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 5 2.2.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . . 5 2.2.2. Comm. w/Dest. Host is Administratively Prohibited . . . 5 2.2.2.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 5 2.2.2.2. Black . . . . . . . . . . . . . . . . . . . . . . . 5 2.2.2.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . . 5 2.2.3. Destination Host Unreachable for Type of Service . . . . 5 2.2.3.2. Black . . . . . . . . . . . . . . . . . . . . . . . 5 2.2.3.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . . 6 2.2.4. Communication Administratively Prohibited . . . . . . . 6 2.2.4.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 6 2.2.4.2. Black . . . . . . . . . . . . . . . . . . . . . . . 6 2.2.4.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . . 6 2.2.5. Precedence cutoff in effect . . . . . . . . . . . . . . 6 2.2.5.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 6 2.2.5.2. Black . . . . . . . . . . . . . . . . . . . . . . . 6 2.2.5.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . . 6 2.3. RFC792 Source Quench . . . . . . . . . . . . . . . . . . . . 6 2.3.1. All types . . . . . . . . . . . . . . . . . . . . . . . 6 2.3.1.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 6 2.3.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 6 2.3.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . . 7 2.4. Redirect. . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.4.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 7 2.4.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . . 7 2.4.2. Redirect Datagram for the Type of Service and Host . . . 7 2.4.2.2. Black . . . . . . . . . . . . . . . . . . . . . . . 7 2.4.2.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . . 7 2.5. Alternate Host Address . . . . . . . . . . . . . . . . . . . 7 2.5.1.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 7 2.5.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 8 2.5.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . . 8 2.6. Echo Request . . . . . . . . . . . . . . . . . . . . . . . . 8 2.6.1.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 8 2.6.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 8 2.6.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . . 8 2.7. Time Exceeded . . . . . . . . . . . . . . . . . . . . . . . 8 2.7.1.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 8 2.7.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 8 2.7.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . . 8 2.8. Parameter Problem . . . . . . . . . . . . . . . . . . . . . 8 2.8.1.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 8 2.8.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 9 2.8.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . . 9 2.9. Timestamp. . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.9.1. All type codes . . . . . . . . . . . . . . . . . . . . . 9 2.9.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 9 2.9.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . . 9 2.10. Timestamp Reply . . . . . . . . . . . . . . . . . . . . . . 9 2.10.1. All type codes . . . . . . . . . . . . . . . . . . . . 9 2.10.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 9 2.10.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . 9 2.11. Information Request . . . . . . . . . . . . . . . . . . . . 9 2.11.1. All type codes . . . . . . . . . . . . . . . . . . . . 10 2.11.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 10 2.11.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . 10 2.12. Information Reply . . . . . . . . . . . . . . . . . . . . . 10 2.12.1. All type codes . . . . . . . . . . . . . . . . . . . . 10 2.12.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 10 2.12.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . 10 2.13. Address Mask Request . . . . . . . . . . . . . . . . . . . 10 2.13.1.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 10 2.13.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 10 2.13.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . 10 2.14. Traceroute. . . . . . . . . . . . . . . . . . . . . . . . . 11 2.14.1.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 11 2.14.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 11 2.14.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . 11 2.15. Datagram Conversion Error . . . . . . . . . . . . . . . . . 11 2.15.1.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 11 2.15.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 11 2.15.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . 11 2.16. Mobile Host Redirect . . . . . . . . . . . . . . . . . . . 11 2.16.1.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 11 2.16.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 11 2.16.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . 11 2.17. IPv6 Where-Are-You . . . . . . . . . . . . . . . . . . . . 12 2.17.1.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 12 2.17.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 12 2.17.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . 12 2.18. IPv6 I-Am-Here . . . . . . . . . . . . . . . . . . . . . . 12 2.18.1.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 12 2.18.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 12 2.18.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . 12 2.19. Mobile Registration Request . . . . . . . . . . . . . . . . 12 2.19.1.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 12 2.19.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 12 2.19.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . 12 2.20. Mobile Registration Reply . . . . . . . . . . . . . . . . . 13 2.20.1.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 13 2.20.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 13 2.20.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . 13 2.21. Domain Name Request . . . . . . . . . . . . . . . . . . . . 13 2.21.1.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 13 2.21.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 13 2.21.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . 13 2.22. Domain Name Reply . . . . . . . . . . . . . . . . . . . . . 13 2.22.1.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 13 2.22.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 13 2.22.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . 13 2.23. SKIP . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 2.23.1.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 14 2.23.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 14 2.23.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . 14 2.24. Photoris . . . . . . . . . . . . . . . . . . . . . . . . . 14 2.24.1. All type codes . . . . . . . . . . . . . . . . . . . . 14 2.24.1.1. Red . . . . . . . . . . . . . . . . . . . . . . . . 14 2.24.1.2. Black . . . . . . . . . . . . . . . . . . . . . . . 14 2.24.1.3. Tunnel . . . . . . . . . . . . . . . . . . . . . . 14 3. Security Considerations: . . . . . . . . . . . . . . . . . . . . 14 4. References: . . . . . . . . . . . . . . . . . . . . . . . . . . 14 4.1. Author's Address . . . . . . . . . . . . . . . . . . . . . . 15 4.2. Expiration and File Name . . . . . . . . . . . . . . . . . . 16 --toc-- --toc-- --toc-- --toc-- --toc-- --toc-- --toc-- --toc-- --toc-- --toc-- --toc-- --toc-- 1. Introduction to the problem An introduction to the porblem and terminology for this document is defined in ICMPIPSEC. This document describes what option should be implemented for each ICMP message type. 2. ICMP Messages HEADER-2 2.1. Echo Reply Type 0, defined in RFC-0792. 2.1.1. All types HEADER-4 2.1.1.1. Red Discard. 2.1.1.2. Black Forward using ICMP SA. 2.1.1.3. Tunnel Forward if arrived via ICMP SA. 2.2. Destination Unreachable Type 3, defined in RFC-0792. Michael Richardson mcr@sandelman.ottawa.on.ca [page 4] INTERNET-DRAFT v1.0, September 1998 2.2.1. Host Unreachable Code 1. 2.2.1.1. Red Discard. Heuristically, it may be useful to accelerate the timeout of any key management, as these messages may be accurate. 2.2.1.2. Black Send via ISAKMP Notify message. No communication is possible to this node. This is done via ISAKMP so that the originating gateway G1 can cache this connectivity information, and avoid expending effort setting up futile SAs for hosts that are not responding. This cache must timeout. 2.2.1.3. Tunnel Forward if it arrived via implicit ICMP. 2.2.2. Comm. w/Dest. Host is Administratively Prohibited Code 10. 2.2.2.1. Red Discard. Heuristically, it may be useful to accelerate the timeout of any key management, as these messages may be accurate. 2.2.2.2. Black Discard. It may be necessary to traverse additional firewalls/gateways. If permitted by local policy, an attempt to set up a linked SA may be made. 2.2.2.3. Tunnel Forward if it arrived via implicit ICMP. It may be required that the end host (E1) establish an end-to-end SA with E2. 2.2.3. Destination Host Unreachable for Type of Service Code 12 HEADER-4 2.2.3.1. Red Discard. Heuristically, it be a sign that RSVP or another resource reservation protocol should have been used to get an appropriate QoS. It may also be a sign that an attempt to get/use a particular QoS was inappropriate. It should be logged. Michael Richardson mcr@sandelman.ottawa.on.ca [page 5] INTERNET-DRAFT v1.0, September 1998 2.2.3.2. Black Forward via implicit ICMP. 2.2.3.3. Tunnel Forward if it arrived via implicit ICMP. 2.2.4. Communication Administratively Prohibited Code 13. From RFC1812 2.2.4.1. Red Discard. ?? 2.2.4.2. Black Discard. ?? 2.2.4.3. Tunnel Discard. ?? 2.2.5. Precedence cutoff in effect Code 15. From RFC1812 2.2.5.1. Red Discard. ?? 2.2.5.2. Black Discard. ?? 2.2.5.3. Tunnel Discard. ?? 2.3. RFC792 Source Quench Type 4. From RFC792 2.3.1. All types 2.3.1.1. Red Discard. ?? 2.3.1.2. Black Discard. ?? Michael Richardson mcr@sandelman.ottawa.on.ca [page 6] INTERNET-DRAFT v1.0, September 1998 2.3.1.3. Tunnel Discard. ?? 2.4. Redirect. Type 5. From RFC792. HEADER-3 2.4.1. Redirect Datagram for the Host Code 1. RFC792 HEADER-4 2.4.1.1. Red Discard. This may be an attempt to cause a denial of service attack. 2.4.1.2. Black Discard. It may be reasonable to pay attention to this datagram locally. 2.4.1.3. Tunnel Forward if it arrived via an implicit ICMP SA. It may be that future load sharing systems may attempt to have an end host switch its route to another security gateway. 2.4.2. Redirect Datagram for the Type of Service and Host Code 3. RFC792 HEADER-4 2.4.2.1. Red Discard. This may be an attempt to cause a denial of service attack. 2.4.2.2. Black Do not forward. It may be reasonable to pay attention to this datagram locally. 2.4.2.3. Tunnel Discard. This may be an attempt to cause a denial of service attack. 2.5. Alternate Host Address Type 5. HEADER-3 2.5.1. All types 2.5.1.1. Red Discard. Michael Richardson mcr@sandelman.ottawa.on.ca [page 7] INTERNET-DRAFT v1.0, September 1998 2.5.1.2. Black Discard. 2.5.1.3. Tunnel Discard. 2.6. Echo Request Type 8. HEADER-3 2.6.1. All type codes 2.6.1.1. Red Discard. 2.6.1.2. Black Forward via explicit ICMP SA. 2.6.1.3. Tunnel Forward if arrived via implicit ICMP SA. 2.7. Time Exceeded Type 11. HEADER-3 2.7.1. All type codes 2.7.1.1. Red Discard. Heuristically, this is a sign that one should perform additional PMTU probes. 2.7.1.2. Black Forward via implicit ICMP SA. 2.7.1.3. Tunnel Forward if it arrived via implicit ICMP SA. It may be reasonable to modify the maximum packet size to account for the SA's overhead if the total is larger than the PMTU from G1 to G2. 2.8. Parameter Problem Type 12. RFC792, RFC1108. HEADER-3 2.8.1. All type codes Michael Richardson mcr@sandelman.ottawa.on.ca [page 8] INTERNET-DRAFT v1.0, September 1998 2.8.1.1. Red Discard. 2.8.1.2. Black Forward via implicit ICMP. 2.8.1.3. Tunnel Forward if it arrived via implicit ICMP. 2.9. Timestamp. 2.9.1. All type codes Type 13. RFC792. HEADER-4 2.9.1.1. Red Discard. ?? 2.9.1.2. Black Discard. ?? 2.9.1.3. Tunnel Discard. ?? 2.10. Timestamp Reply 2.10.1. All type codes Type 14. RFC792 HEADER-4 2.10.1.1. Red Discard. ?? 2.10.1.2. Black Discard. ?? 2.10.1.3. Tunnel Discard. ?? Michael Richardson mcr@sandelman.ottawa.on.ca [page 9] INTERNET-DRAFT v1.0, September 1998 2.11. Information Request 2.11.1. All type codes Type 15. RFC792 HEADER-4 2.11.1.1. Red Discard. ?? 2.11.1.2. Black Discard. ?? 2.11.1.3. Tunnel Discard. ?? 2.12. Information Reply 2.12.1. All type codes Type 16. RFC792 HEADER-4 2.12.1.1. Red Discard. ?? 2.12.1.2. Black Discard. ?? 2.12.1.3. Tunnel Discard. ?? 2.13. Address Mask Request Type 17. See RFC950 HEADER-3 2.13.1. All type codes 2.13.1.1. Red Discard. ?? 2.13.1.2. Black Discard. ?? 2.13.1.3. Tunnel Discard. ?? Michael Richardson mcr@sandelman.ottawa.on.ca [page 10] INTERNET-DRAFT v1.0, September 1998 2.14. Traceroute. Type 30. See RFC1393 HEADER-3 2.14.1. All type codes 2.14.1.1. Red Discard. ?? 2.14.1.2. Black Discard. ?? 2.14.1.3. Tunnel Discard. ?? 2.15. Datagram Conversion Error Type 31. See RFC1475 HEADER-3 2.15.1. All type codes 2.15.1.1. Red Discard. ?? 2.15.1.2. Black Discard. ?? 2.15.1.3. Tunnel Discard. ?? 2.16. Mobile Host Redirect Type 32. See Johnson HEADER-3 2.16.1. All type codes 2.16.1.1. Red Discard. ?? 2.16.1.2. Black Discard. ?? 2.16.1.3. Tunnel Discard. ?? Michael Richardson mcr@sandelman.ottawa.on.ca [page 11] INTERNET-DRAFT v1.0, September 1998 2.17. IPv6 Where-Are-You Type 33. Simpson HEADER-3 2.17.1. All type codes 2.17.1.1. Red Discard. ?? 2.17.1.2. Black Discard. ?? 2.17.1.3. Tunnel Discard. ?? 2.18. IPv6 I-Am-Here Type 34. Simpson HEADER-3 2.18.1. All type codes 2.18.1.1. Red Discard. ?? 2.18.1.2. Black Discard. ?? 2.18.1.3. Tunnel Discard. ?? 2.19. Mobile Registration Request Type 35. Simpson HEADER-3 2.19.1. All type codes 2.19.1.1. Red Discard. ?? 2.19.1.2. Black Discard. ?? 2.19.1.3. Tunnel Discard. ?? Michael Richardson mcr@sandelman.ottawa.on.ca [page 12] INTERNET-DRAFT v1.0, September 1998 2.20. Mobile Registration Reply Type 36. Simpson HEADER-3 2.20.1. All type codes 2.20.1.1. Red Discard. ?? 2.20.1.2. Black Discard. ?? 2.20.1.3. Tunnel Discard. ?? 2.21. Domain Name Request Type 37. Simpson HEADER-3 2.21.1. All type codes 2.21.1.1. Red Discard. ?? 2.21.1.2. Black Discard. ?? 2.21.1.3. Tunnel Discard. ?? 2.22. Domain Name Reply Type 38. Simpson HEADER-3 2.22.1. All type codes 2.22.1.1. Red Discard. ?? 2.22.1.2. Black Discard. ?? 2.22.1.3. Tunnel Discard. ?? Michael Richardson mcr@sandelman.ottawa.on.ca [page 13] INTERNET-DRAFT v1.0, September 1998 2.23. SKIP Type 39. See Markson HEADER-3 2.23.1. All type codes 2.23.1.1. Red Discard. ?? 2.23.1.2. Black Discard. ?? 2.23.1.3. Tunnel Discard. ?? 2.24. Photoris Type 40. See Simpson 2.24.1. All type codes 2.24.1.1. Red Discard. ?? 2.24.1.2. Black Discard. ?? 2.24.1.3. Tunnel Discard. ?? 3. Security Considerations: This entire document discusses a security protocol. 4. References: RFC1825 R. Atkinson, "Security Architecture for the Internet Protocol", RFC-1825, August 1995. ICMPIPSEC M. Richardson, "Options for handling ICMP messages that must be forwarded" work in progress: draft-ietf-ipsec-icmp-options-00.txt, September 1998 ICMPIPSECV4 M. Richardson, "IPv4 ICMP messages and IPsec security gateways" Michael Richardson mcr@sandelman.ottawa.on.ca [page 14] INTERNET-DRAFT v1.0, September 1998 work in progress: draft-ietf-ipsec-icmp-handle-v4.txt, September 1998 ICMPIPSECV6 M. Richardson, "IPv6 ICMP messages and IPsec security gateways" work in progress: draft-ietf-ipsec-icmp-handle-v6-00.txt, September 1998 ARCHSEC R. Atkinson, S. Kent, "Security Architecture for the Internet Protocol", work in progress: draft-ietf-ipsec-arch-sec-07.txt, July 1998 RFC-1191 J. Mogul, S. Deering, "Path MTU Discovery", RFC-1191, November 1990. KSM-AH New AH draft. metrics I. M. ISP, "How fast can it go?", draft-ietf-metrics-00.txt, work in progress: Jan. 20, 1997 Gupta97-1 V. Gupta, S. Glass, "Firewall Traversal for Mobile IP: Goals and Requirements", draft-ietf-mobileip-ft-req-00.txt, work in progress: Jan. 20, 1997 Gupta97-2 V. Gupta, S. Glass, "Firewall Traversal for Mobile IP: Guidelines for Firewalls and Mobile IP entities", draft-ietf-mobileip- firewall-trav-00.txt, work in progress: March 17, 1997 RFC1256 S. Deering, "ICMP Router Discovery Messages." Sep-01-1991. RFC1885 A. Conta, S. Deering, "Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6)." December 1995. RFC791 J. Postel, "Internet Protocol." Sep-01-1981. RFC792 J. Postel, "Internet Control Message Protocol.", Sep-01-1981. RFC950 J.C. Mogul, J. Postel, "Internet Standard Subnetting Procedure." Aug-01-1985. 4.1. Author's Address Michael Richardson mcr@sandelman.ottawa.on.ca [page 15] INTERNET-DRAFT v1.0, September 1998 Michael C. Richardson Solidum Systems Corporation 940 Belfast Road Ottawa, ON K1G 4A2 Canada Telephone: +1 613 244-4804 EMail: mcr@sandelman.ottawa.on.ca 4.2. Expiration and File Name This draft expires February 1999 Its file name is draft-ipsec-icmp-handle-v4-00.txt Michael Richardson mcr@sandelman.ottawa.on.ca [page 16]