ICMP error notification with IPsec in ip6_forward()
blue
susan.lan at zyxel.com.tw
Fri Sep 7 03:23:07 PDT 2007
Dear all:
Recently I am tracing the codes of ip6_forward(), which is defined in
ip6_forward.c. My referenced version is FreeBSD Release 6.1. I have the
following questions about IPsec operations:
(1) lines 489-512 are about the transmission of ICMP Packet Too Big
message. Is it necessary here since tunneled packets are already sent
out at this point?
(2) The location of the packet size examination is not proper. If the
packet matches SP, then it will be tunneled without sending out ICMP
packet too big error message to the source.
(3) Is there any RFC about ICMP notification and IPsec? I am not sure
what kind of ICMP error messages should be sent out from the security
gateway. For example, is ICMP destination unreachable necessary if the
inner destination is unreachable? Or ICMP Redirect packet necessary if
the inner destination needs to be redirected?
Thanks.
Best regards,
Yi-Wen
More information about the freebsd-net
mailing list