RFC 2521 (rfc2521) - Page 2 of 7
ICMP Security Failures Messages
Alternative Format: Original Text Document
RFC 2521 ICMP Security Failures March 1999
when transmitted, and MUST be ignored when received.
Pointer Two octets. An offset into the Original Internet
Headers that locates the most significant octet of
the offending SPI. Will be zero when no SPI is
present.
Original Internet Headers ...
The original Internet Protocol header, any
intervening headers up to and including the
offending SPI (if any), plus the first 64 bits (8
octets) of the remaining payload data.
This data is used by the host to match the message
to the appropriate process. If a payload protocol
uses port numbers, they are assumed to be in the
first 64-bits of the original datagram's payload.
Usage of this message is elaborated in the following sections.
2.1. Bad SPI
Indicates that a received datagram includes a Security Parameters
Index (SPI) that is invalid or has expired.
2.2. Authentication Failed
Indicates that a received datagram failed the authenticity or
integrity check for a given SPI.
Note that the SPI may indicate an outer Encapsulating Security
Protocol when a separate Authentication Header SPI is hidden inside.
2.3. Decompression Failed
Indicates that a received datagram failed a decompression check for a
given SPI.
2.4. Decryption Failed
Indicates that a received datagram failed a decryption check for a
given SPI.
Karn & Simpson Experimental