ICMP type 40, Security failures

Protocol suite:	TCP/IP.
Protocol type:	Transport layer control protocol.
Base protocol:	ICMP, Internet Control Message Protocol.
Host implementation:	Experimental.
Router implementation:	Experimental.
Links:	IANA: ICMP parameters.

This message is used for indicating failures with the security protocols AH and ESP.

RFC 2521, page 1:

This mechanism is intended for use with the Internet Security Protocols for authentication and privacy. For statically configured Security Associations, these messages indicate that the operator needs to manually reconfigure, or is attempting an unauthorized operation. These messages may also be used to trigger automated session-key management.

RFC 2521, page 3:

As is usual with ICMP messages, upon receipt of one of these error messages that is uninterpretable or otherwise contains an error, no ICMP error message is sent in response. Instead, the message is silently discarded. However, for diagnosis of problems, a node SHOULD provide the capability of logging the error, including the contents of the silently discarded datagram, and SHOULD record the event in a statistics counter.

On receipt, special care MUST be taken that the ICMP message actually includes information that matches a previously sent IP datagram. Otherwise, this might provide an opportunity for a denial of service attack.

The sending implementation MUST be able to limit the rate at which these messages are generated. The rate limit parameters SHOULD be configurable. How the limits are applied (such as, by destination or per interface) is left to the implementor's discretion.

MAC header

IP header

ICMP message 40

Message format:

00	08	16
Type	Code	ICMP header checksum
reserved		Pointer
Data :::

Type. 8 bits.
Set to 40.

Code. 8 bits.

Code	Description
0	Bad SPI. Indicates that a received datagram includes a Security Parameters Index (SPI) that is invalid or has expired.
1	Authentication Failed. Indicates that a received datagram failed the authenticity or integrity check for a given SPI.
2	Decompression Failed. Indicates that a received datagram failed a decompression check for a given SPI.
3	Decryption Failed. Indicates that a received datagram failed a decryption check for a given SPI.
4	Need Authentication. Authentication Indicates that a received datagram will not be accepted without additional authentication.
5	Need Authorization. Indicates that a received datagram will not be accepted because it has insufficient authorization.

ICMP Header Checksum. 16 bits.
The 16-bit one's complement of the one's complement sum of the ICMP message, starting with the ICMP Type field. When the checksum is computed, the checksum field should first be cleared to 0. When the data packet is transmitted, the checksum is computed and inserted into this field. When the data packet is received, the checksum is again computed and verified against the checksum field. If the two checksums do not match then an error has occurred.

reserved. 16 bits.
Cleared to zero.

Pointer. 16 bits.
A pointer offset into the Original Internet Headers that locates the most significant byte of the offending SPI. Will be cleared to zero when no SPI is present.

Data.
The original IP header, any intervening headers up to and including the offending SPI (if any), plus the first 64 bits (8 bytes) of the remaining payload data. This data is used by the host to match the message to the appropriate process. If a payload protocol uses port numbers, they are assumed to be in the first 64-bits of the original datagram's payload.

Glossary:

RFCs:

[RFC 1122] Requirements for Internet Hosts -- Communication Layers.