[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: 2401bis Issue #67 -- IPsec management traffic
In your previous mail you wrote:
NO. what we said was that IKE SAs are treated specially by the
host/SG that terminates or originates IKE traffic, and thus need not
be subject to SPD/SAD controls.
=> IMHO it is convenient to be able to do both, i.e., the standard way
is that the IKE daemon asks itself for the "bypass" for UDP/500 but
the administrator can choose to enter specific SPD entries for UDP/500.
(for instance in order to solve the issue of IKE messages going throught
the local node)
BTW the RFC 2401 text is fine: it suggests this usage of the "bypass" but
mandates nothing more than common sense.