[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: 2401bis Issue #67 -- IPsec management traffic
At 12:40 -0700 9/16/03, Wenxiao He wrote:
> -----Original Message-----
[mailto:owner-ipsec@xxxxxxxxxxxxxxxxx] On Behalf Of Karen Seo
Sent: Friday, September 12, 2003 5:27 PM
To: ipsec mailingList
Cc: byfraser@xxxxxxxxx; tytso@xxxxxxx; Angelos D. Keromytis;
Subject: 2401bis Issue #67 -- IPsec management traffic
Here's a description and proposed approach for:
IPsec Issue #: 67
Title: IPsec management traffic
SPD entries apply only to subscriber traffic. However, 2401 says that
the "SPD must be consulted during the processing of all traffic..."
leading to confusion about whether IPsec management traffic should
have an SPD entry, etc. Should the text be modified to make it clear
that an IPsec implementation is able to send and receive traffic for
itself independent of SPD/SAD entries or should there be an explicit
SPD entry to cover IPsec management traffic?
When talking about "send and receive traffic for itself independent of
SPD/SAD entries", are you saying all end host IPSec management traffic
should be in cleartext?
NO. what we said was that IKE SAs are treated specially by the
host/SG that terminates or originates IKE traffic, and thus need not
be subject to SPD/SAD controls.
Using the example below, assuming IPSec tunnel
between H1 and SG2 is ready and H1 sending IKE messages to H2, should
these IKE messages be in cleartext or protected by H1/SG2 tunnel SA? On
the 2nd note below are you saying when IKE traffic (H1/H2) going through
SG2 it will require a SPD?
The IKE traffic from H1 is treated like any other subscriber traffic
from H1, and thus requires an appropriate SPD entry to be allowed to
pass. However, at H1, the IKE traffic it emits and receives need not
be authorized by an entry in its SPD.
|| | |
|| | | | |
H1* ----- (Internet) ------| SG2* ---- (Local ----- H2* |
^ | Intranet) |
could be dialup admin. boundary (optional)
to PPP/ARA server
> traffic from src A"?
Note: If one chose to allow IPsec management traffic to bypass SPD
lookup, then how would one implement a policy of "don't accept IKE