[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 2401bis Issue #67 -- IPsec management traffic

 In your previous mail you wrote:

   > >    There is one slight catch, however. There is no SPD entry action to
   > >    cause delivery of a received message to IKE. So, while your example
   > >    is appropriate for outbound IKE traffic, I don't think we ever
   > >    defined a way to express appropriate internal forwarding of inbound
   > >    IKE traffic.  Any suggestions?
   This discussion seems totally absurd to me. You just install "pass
   through in clear" policy entries for that traffic. Just simple policy
   selector with port 500, for example? That's the way it works for me.
   All traffic to and from a host should pass through IPSEC policy
   check. If some implementations goof up on this, it's their bug. No
   need to mess with IPSEC RFC.

=> IMHO we don't understand the same thing. My interpretation of the issue
is how to enforce that UDP port 500 is delivered to the IKE daemon. My
opinion is that this is an interesting question but this is out of the
scope of IPsec SPD.