[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 2401bis Issue #67 -- IPsec management traffic

Hi Francis,

In your previous mail you wrote:

There is one slight catch, however. There is no SPD entry action to
cause delivery of a received message to IKE. So, while your example
is appropriate for outbound IKE traffic, I don't think we ever
defined a way to express appropriate internal forwarding of inbound
IKE traffic. Any suggestions?
=> I agree but I don't believe there is a solution inside IPsec itself:
to enforce the delivery of packets maching a filter to a process/user/...
is a "personal firewall" function only.

[Throwing in a few pennies until Steve returns...]

	Are you speaking of hosts here?  While it might work there,
	a "personal firewall" seems odd applied to SGs.  A general
	solution would be to add another action in the SPD, e.g.,
	"direct to security management".