HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

181

182

183

184

185

186

187

188

189

190

• IP may send ICMP Redirect messages to redirect traffic to a different gateway.

The transmission of ICMP Redirect messages is controlled by the IP kernel parameter

ip_send_redirects. By default, this feature is enabled on all HP-UX systems. Refer to

the ndd(1M) manpage for information on checking or changing this parameter value.

• IP may send ICMP Source Quench messages to request the source system to decrease its

transmission rate.

The transmission of ICMP Source Quench messages is controlled by the IP kernel parameter

ip_send_source_quench. By default, this feature is enabled on all HP-UX systems. Refer

to the ndd(1M) manpage for information on checking or changing this parameter value.

Discarding or requiring ICMPv4 (ICMP for IPv4) messages to be encrypted or authenticated

may cause connectivity problems. Normal network operation may require IP to exchange ICMP

messages between end-to-end hosts and between an end host and an IP gateway (including

router devices). IP may need to exchange ICMP packets with gateway nodes even though no

user (end-to-end) services are being used to the gateways.

Be careful when configuring the default IPsec policy or IPsec policies that affect entire subnets,

because you might inadvertently cause ICMP messages to be discarded. You might also

inadvertently require ICMP messages being transmitted or received from a gateway or router

to be secured with IPsec; if a gateway or router does not secure ICMP messages, HP-UX IPSec

will discard them.

Syntax

If you specify ICMP for the protocol argument in a host policy, you can specify ICMPv4 message

type values for the packet filter using the -dst_icmp_type and -src_icmp_type arguments.

The syntax for these arguments in an ipsec_config add host command is as follows:

-dst_icmp_type type_number[,type_number]...|ALL

-src_icmp_type type_number[,type_number]...|ALL

Where type_number is the integer ICMPv4 message type (0 - 255).

Example

ipsec_config add host no_traceroute -protocol ICMP -src_icmp_type 30

-action DISCARD

ICMPv6 Message Processing

You can configure specific ICMPv6 message types for host policy packet filters using the

-src_icmpv6_type and -dst_icmpv6_type arguments.

To enable proper operation of IPv6 networks, the default operation of HP-UX IPSec allows the

following ICMPv6 messages to pass in clear text:

• Router Solicitation

• Router Advertisement

• Neighbor Solicitation

• Neighbor Advertisement

• Redirect

• Destination Unreachable

• Packet Too Big

• Time Exceeded

• Parameter Problem

• Router Renumbering

HP recommends that you do not modify the default behavior; do not configure any policies to

discard or secure packets by explicitly specifying these type values in -src_icmpv6_type or

-dst_icmpv6_type arguments.

HP-UX IPSec Operation 185