Some informal text, helping the ICMPv6 implementers to understand the IPsec processing issues, should be still OK.
I agree. The knob of whether unauthenticated ICMP packets should be accepted or dropped also falls under IPsec module while implementing. So why should ICMP implementors be worried about this.
I will try to modify the text in that section so that it just provides information and points to the IPsec RFCs for detailed processing.
OK.
It may be worth reminding the readers that in most cases, even if a packet was sent with IPsec, the response may come in the clear and the decision to just drop them might have ... strong implications. Such cleartext messages would typically originate from the routers in between, or from the destination host if it doesn't have its security policies set up in such a manner that ICMP packets would be protected.
So, a flag to disable unauthenticated ICMPs does not seem to be particularly interesting when used in the Internet; it may or may not be potentially useful when used inside Intranets.
-- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
-------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
