[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 2401bis Issue #67 -- IPsec management traffic

 In your previous mail you wrote:

   NO. what we said was that IKE SAs are treated specially by the 
   host/SG that terminates or originates IKE traffic, and thus need not 
   be subject to SPD/SAD controls.
=> IMHO it is convenient to be able to do both, i.e., the standard way
is that the IKE daemon asks itself for the "bypass" for UDP/500 but
the administrator can choose to enter specific SPD entries for UDP/500.
(for instance in order to solve the issue of IKE messages going throught
the local node)
BTW the RFC 2401 text is fine: it suggests this usage of the "bypass" but
mandates nothing more than common sense.