RFC 2521 (rfc2521) - Page 2 of 7

ICMP Security Failures Messages

Alternative Format: Original Text Document
< Previous
Next >
RFC 2521                 ICMP Security Failures               March 1999


                    when transmitted, and MUST be ignored when received.

   Pointer          Two octets.  An offset into the Original Internet
                    Headers that locates the most significant octet of
                    the offending SPI.  Will be zero when no SPI is
                    present.

   Original Internet Headers ...
                    The original Internet Protocol header, any
                    intervening headers up to and including the
                    offending SPI (if any), plus the first 64 bits (8
                    octets) of the remaining payload data.

                    This data is used by the host to match the message
                    to the appropriate process.  If a payload protocol
                    uses port numbers, they are assumed to be in the
                    first 64-bits of the original datagram's payload.

   Usage of this message is elaborated in the following sections.


2.1.  Bad SPI

   Indicates that a received datagram includes a Security Parameters
   Index (SPI) that is invalid or has expired.


2.2.  Authentication Failed

   Indicates that a received datagram failed the authenticity or
   integrity check for a given SPI.

   Note that the SPI may indicate an outer Encapsulating Security
   Protocol when a separate Authentication Header SPI is hidden inside.


2.3.  Decompression Failed

   Indicates that a received datagram failed a decompression check for a
   given SPI.


2.4.  Decryption Failed

   Indicates that a received datagram failed a decryption check for a
   given SPI.





Karn & Simpson                Experimental
< Previous
Next >