> -----Original Message-----From: owner-ipsec@xxxxxxxxxxxxxxxxx [mailto:owner-ipsec@xxxxxxxxxxxxxxxxx] On Behalf Of Karen Seo Sent: Friday, September 12, 2003 5:27 PM To: ipsec mailingList Cc: byfraser@xxxxxxxxx; tytso@xxxxxxx; Angelos D. Keromytis; kivinen@xxxxxx; kseo@xxxxxxx Subject: 2401bis Issue #67 -- IPsec management traffic
Folks,
Here's a description and proposed approach for:
IPsec Issue #: 67
Title: IPsec management traffic
Description: ============ SPD entries apply only to subscriber traffic. However, 2401 says that the "SPD must be consulted during the processing of all traffic..." leading to confusion about whether IPsec management traffic should have an SPD entry, etc. Should the text be modified to make it clear that an IPsec implementation is able to send and receive traffic for itself independent of SPD/SAD entries or should there be an explicit SPD entry to cover IPsec management traffic?
When talking about "send and receive traffic for itself independent of SPD/SAD entries", are you saying all end host IPSec management traffic should be in cleartext?
Using the example below, assuming IPSec tunnel between H1 and SG2 is ready and H1 sending IKE messages to H2, should these IKE messages be in cleartext or protected by H1/SG2 tunnel SA? On the 2nd note below are you saying when IKE traffic (H1/H2) going through SG2 it will require a SPD?
====================================================== | | |============================== | || | | || ---|----------------------|--- || | | | | H1* ----- (Internet) ------| SG2* ---- (Local ----- H2* | ^ | Intranet) | | ------------------------------ could be dialup admin. boundary (optional) to PPP/ARA server
> traffic from src A"?Note: If one chose to allow IPsec management traffic to bypass SPD lookup, then how would one implement a policy of "don't accept IKE