ICMP Security Failures Messages
RFC 2521
| Document | Type |
RFC - Experimental
(March 1999; No errata)
Was draft-simpson-icmp-ipsec-fail (individual)
|
|
|---|---|---|---|
| Last updated | 2013-03-02 | ||
| Stream | Legacy | ||
| Formats | plain text html pdf htmlized bibtex | ||
| Stream | Legacy state | (None) | |
| Consensus Boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | RFC 2521 (Experimental) | |
| Telechat date | |||
| Responsible AD | (None) | ||
| Send notices to | (None) | ||
Network Working Group P. Karn
Request for Comments: 2521 Qualcomm
Category: Experimental W. Simpson
DayDreamer
March 1999
ICMP Security Failures Messages
Status of this Memo
This document defines an Experimental Protocol for the Internet
community. It does not specify an Internet standard of any kind.
Discussion and suggestions for improvement are requested.
Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (1999). Copyright (C) Philip Karn
and William Allen Simpson (1994-1999). All Rights Reserved.
Abstract
This document specifies ICMP messages for indicating failures when
using IP Security Protocols (AH and ESP).
Karn & Simpson Experimental [Page i]
RFC 2521 ICMP Security Failures March 1999
Table of Contents
1. Introduction .......................................... 1
2. Message Formats ....................................... 1
2.1 Bad SPI ......................................... 2
2.2 Authentication Failed ........................... 2
2.3 Decompression Failed ............................ 2
2.4 Decryption Failed ............................... 2
2.5 Need Authentication ............................. 3
2.6 Need Authorization .............................. 3
3. Error Procedures ...................................... 3
SECURITY CONSIDERATIONS ...................................... 4
HISTORY ...................................................... 5
ACKNOWLEDGEMENTS ............................................. 5
REFERENCES ................................................... 5
CONTACTS ..................................................... 6
COPYRIGHT .................................................... 7
Karn & Simpson Experimental [Page ii]
RFC 2521 ICMP Security Failures March 1999
1. Introduction
This mechanism is intended for use with the Internet Security
Protocols [RFC-1825 et sequitur] for authentication and privacy. For
statically configured Security Associations, these messages indicate
that the operator needs to manually reconfigure, or is attempting an
unauthorized operation. These messages may also be used to trigger
automated session-key management.
The datagram format and basic facilities are already defined for ICMP
[RFC-792].
Up-to-date values of the ICMP Type field are specified in the most
recent "Assigned Numbers" [RFC-1700]. This document concerns the
following values:
40 Security Failures
2. Message Formats
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Code | Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Reserved | Pointer |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Original Internet Headers + 64 bits of Payload ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type 40
Code Indicates the kind of failure:
0 = Bad SPI
1 = Authentication Failed
2 = Decompression Failed
3 = Decryption Failed
4 = Need Authentication
5 = Need Authorization
Checksum Two octets. The ICMP Checksum.
Reserved Two octets. For future use; MUST be set to zero
Karn & Simpson Experimental [Page 1]
RFC 2521 ICMP Security Failures March 1999
when transmitted, and MUST be ignored when received.
Pointer Two octets. An offset into the Original Internet
Headers that locates the most significant octet of
the offending SPI. Will be zero when no SPI is
present.
Original Internet Headers ...
The original Internet Protocol header, any
intervening headers up to and including the
offending SPI (if any), plus the first 64 bits (8
octets) of the remaining payload data.
This data is used by the host to match the message
Show full document text