[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: 2401bis Issue #67 -- IPsec management traffic

At 12:40 -0700 9/16/03, Wenxiao He wrote:
> -----Original Message-----
 From: owner-ipsec@xxxxxxxxxxxxxxxxx
 [mailto:owner-ipsec@xxxxxxxxxxxxxxxxx] On Behalf Of Karen Seo
 Sent: Friday, September 12, 2003 5:27 PM
 To: ipsec mailingList
 Cc: byfraser@xxxxxxxxx; tytso@xxxxxxx; Angelos D. Keromytis;
 kivinen@xxxxxx; kseo@xxxxxxx
 Subject: 2401bis Issue #67 -- IPsec management traffic


Here's a description and proposed approach for:

IPsec Issue #: 67

Title: IPsec management traffic

 SPD entries apply only to subscriber traffic. However, 2401 says that
 the "SPD must be consulted during the processing of all traffic..."
 leading to confusion about whether IPsec management traffic should
 have an SPD entry, etc.  Should the text be modified to make it clear
 that an IPsec implementation is able to send and receive traffic for
 itself independent of SPD/SAD entries or should there be an explicit
 SPD entry to cover IPsec management traffic?

When talking about "send and receive traffic for itself independent of SPD/SAD entries", are you saying all end host IPSec management traffic should be in cleartext?

NO. what we said was that IKE SAs are treated specially by the host/SG that terminates or originates IKE traffic, and thus need not be subject to SPD/SAD controls.

Using the example below, assuming IPSec tunnel
between H1 and SG2 is ready and H1 sending IKE messages to H2, should
these IKE messages be in cleartext or protected  by H1/SG2 tunnel SA? On
the 2nd note below are you saying when IKE traffic (H1/H2) going through
SG2 it will require a SPD?

The IKE traffic from H1 is treated like any other subscriber traffic from H1, and thus requires an appropriate SPD entry to be allowed to pass. However, at H1, the IKE traffic it emits and receives need not be authorized by an entry in its SPD.

====================================================== | | |============================== | || | | || ---|----------------------|--- || | | | | H1* ----- (Internet) ------| SG2* ---- (Local ----- H2* | ^ | Intranet) | | ------------------------------ could be dialup admin. boundary (optional) to PPP/ARA server

 Note: If one chose to allow IPsec management traffic to bypass SPD
 lookup, then how would one implement a policy of "don't accept IKE
> traffic from src A"?