[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-ietf-ipsec-arch-sec-02.txt and last call




Hi Steve,

	So does that mean having a "discard" action in the IPSec Security
policy is a SHOULD and not a MUST? I might not want to provide the
"discard" choice as an action for my IPSec policy, depending on presence of
other subsystems to handle it. Would it make my IPSec implementation 
non-compliant? 

Could you clarify what this text encompasses? (pg 14, end of 3rd para.)

  However, this  document does specify a standard set of SPD elements that 
  all IPsec implementations MUST support.

Are the actions : bypass, protect and discard, part of the SPD elements?

Thanks,
Indermohan

>>>>> Stephen Kent <kent@bbn.com> writes:

SK> Indermohan,
SK> 	The discard function is present because not every IPsec
SK> implementation would be part of a firewall, e.g., it could be a stand alone
SK> crypto device or a shim in a host stack, etc.  Thus we added this option to
SK> provide a complete characterization of what to do with every outbound or
SK> inbound packet traversing the IPsec interface.

SK> Steve




Follow-Ups: References: