ICMP message from SG to Host to say "Need access to TCP or UDP P rotocol or Port information"
"Waters, Stephen" <Stephen.Waters@cabletron.com> Tue, 19 October 1999 12:03 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by mail.imc.org (8.9.3/8.9.3) with ESMTP id FAA24722; Tue, 19 Oct 1999 05:03:41 -0700 (PDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id GAA20102 Tue, 19 Oct 1999 06:45:25 -0400 (EDT)
Message-ID: <29752A74B6C5D211A4920090273CA3DCCDE53B@new-exc1.ctron.com>
From: "Waters, Stephen" <Stephen.Waters@cabletron.com>
To: ipsec@lists.tislabs.com
Subject: ICMP message from SG to Host to say "Need access to TCP or UDP P rotocol or Port information"
Date: Tue, 19 Oct 1999 11:47:40 +0100
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2448.0)
Content-Type: text/plain; charset="ISO-8859-1"
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
I've just had a scan on Appendix D of the IPSEC architecture for help on generating an ICMP from a Security Gateway to a 'protected host' : Host1----SG1-----SG2----Host2 If Host1 sends packets to Host2 that are ipsec-blocked by SG1, what ICMP Name/Code could SG1 generate? What starting me thinking about this was the problem of Host1 generating ESP or IPCOMP packets that obscured the inner TCP/UDP details needed by SG1 to match on a policy, but I guess this is a generic problem of 'policy block'. Does "Destination Network Unreachable for Type of Service" cover it. Cheers, Steve.
- ICMP message from SG to Host to say "Need access … Waters, Stephen
- Re: ICMP message from SG to Host to say "Need acc… Stephen Kent