6. ICMP Processing
This section describes IPsec handling of ICMP traffic. There are two categories of ICMP traffic: error messages (e.g., type = destination unreachable) and non-error messages (e.g., type = echo). This section applies exclusively to error messages. Disposition of non-error, ICMP messages (that are not addressed to the IPsec implementation itself) MUST be explicitly accounted for using SPD entries.
The discussion in this section applies to ICMPv6 as well as to ICMPv4. Also, a mechanism SHOULD be provided to allow an administrator to cause ICMP error messages (selected, all, or none) to be logged as an aid to problem diagnosis.
6.1. Processing ICMP Error Messages Directed to an IPsec Implementation
6.1.1. ICMP Error Messages Received on the Unprotected Side
An ICMP message received on the unprotected side is unauthenticated, and its processing may result in denial or degradation of service. This suggests that, in general, it would be desirable to ignore such messages. However, many ICMP messages will be received by hosts or security gateways from unauthenticated sources, e.g., routers in the public Internet. Ignoring these ICMP messages can degrade service, e.g., because of a failure to process PMTU message and redirection messages.
Key Considerations:
- Security Risk: Unauthenticated ICMP messages can be used for denial of service attacks
- Operational Need: Some ICMP messages (PMTU, redirects) are necessary for proper network operation
- Trade-off: Balance between security and functionality
6.1.2. ICMP Error Messages Received on the Protected Side
ICMP error messages received on the protected side of the boundary have been authenticated and can be processed with greater confidence.
ICMP Message Categories
Error Messages
- Destination Unreachable
- Time Exceeded
- Parameter Problem
- Packet Too Big (ICMPv6)
Non-Error Messages (require explicit SPD entries)
- Echo Request/Reply
- Router Advertisement/Solicitation
- Neighbor Discovery (ICMPv6)