"Michael C. Richardson" <mcr@sandelman.ottawa.on.ca> Mon, 27 April 1998 00:44 UTC

Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id UAA06927 for ipsec-outgoing; Sun, 26 Apr 1998 20:44:50 -0400 (EDT)
Message-Id: <199804270059.UAA02775@istari.sandelman.ottawa.on.ca>
To: ipsec@tis.com, tcp-impl@cthulhu.engr.sgi.com
Subject: ICMP and TCP
In-reply-to: Your message of "Sun, 19 Apr 1998 02:18:51 EDT." <199804190618.CAA01601@morden.sandelman.ottawa.on.ca>
Date: Sun, 26 Apr 1998 20:59:18 -0400
From: "Michael C. Richardson" <mcr@sandelman.ottawa.on.ca>
Sender: owner-ipsec@ex.tis.com
Precedence: bulk

>>>>> "Michael" == Michael Richardson <mcr@sandelman.ottawa.on.ca> missed
some words, confusing his meaning:

    Michael> Assume a TCP connection that traverses a network, and is carried
    Michael> with IPsec (perhaps just AH) in "transport" mode. If there is
    Michael> some reason to believe that AH (or ESP) is on that network path,

  ...if there is some reason to believe that AH/ESP is needed on that network
path, that is if you believe that there may be an eavesdropper or active 
TCP spoofer, then I would suggest that there is sufficient additional reason
to worry that they will simply destructive shut you down with ICMP, or
perhaps even just ICMP ping floods

   :!mcr!:            |  Sandelman Software Works Corporation, Ottawa, ON  
   Michael Richardson |	SSH IPsec: http://www.ssh.fi/. Secure, strong, international
 Personal: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">mcr@sandelman.ottawa.on.ca</A>. PGP key available.
 Corporate: <A HREF="http://www.sandelman.ottawa.on.ca/SSW/">sales@sandelman.ottawa.on.ca</A>.