[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Protection of port 500
At 12:37 AM -0800 1/15/01, Jason R Thorpe wrote:
<excerpt>On Sun, Jan 14, 2001 at 09:09:12PM -0800, Pervaiz Rizvi
wrote:
> Since IPsec uses UDP500 for key exchange,
> how does it know to ignore configurations
> that seek to protect udp/500 with IPsec?
> If this were allowed, presumably the IPsec
> stack would go into an unterminating recursion.
Presumably the IKE daemon would change the policy for the
communication endpoints it is using.
</excerpt>
An IPsec implementation may originate and terminate <underline>its own
management traffic</underline> (.e.g., IKE, SNMP, ICMP etc.)
irrespective of the SPD and SAD entries use to manage subscriber.
Steve
References: