[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: 2401bis Issue #67 -- IPsec management traffic

To: <wenxiao.he@hp.com>
Subject: RE: 2401bis Issue #67 -- IPsec management traffic
From: Stephen Kent <kent@bbn.com>
Date: Wed, 17 Sep 2003 17:14:19 -0400
Cc: "'ipsec mailingList'" <ipsec@lists.tislabs.com>
In-Reply-To: <000001c37c8a$784d78a0$0400a8c0@WH764682>
References: <000001c37c8a$784d78a0$0400a8c0@WH764682>
Sender: owner-ipsec@lists.tislabs.com

At 12:40 -0700 9/16/03, Wenxiao He wrote:
>  > -----Original Message-----
>>  From: owner-ipsec@lists.tislabs.com
>>  [mailto:owner-ipsec@lists.tislabs.com] On Behalf Of Karen Seo
>>  Sent: Friday, September 12, 2003 5:27 PM
>>  To: ipsec mailingList
>>  Cc: byfraser@cisco.com; tytso@mit.edu; Angelos D. Keromytis;
>>  kivinen@ssh.fi; kseo@bbn.com
>>  Subject: 2401bis Issue #67 -- IPsec management traffic
>>
>>
>>  Folks,
>>
>>  Here's a description and proposed approach for:
>>
>>  IPsec Issue #:	67
>>
>>  Title:		IPsec management traffic
>>
>>  Description:
>>  ============
>>  SPD entries apply only to subscriber traffic. However, 2401 says that
>>  the "SPD must be consulted during the processing of all traffic..."
>>  leading to confusion about whether IPsec management traffic should
>>  have an SPD entry, etc.  Should the text be modified to make it clear
>>  that an IPsec implementation is able to send and receive traffic for
>>  itself independent of SPD/SAD entries or should there be an explicit
>>  SPD entry to cover IPsec management traffic?
>>
>
>When talking about "send and receive traffic for itself independent of
>SPD/SAD entries", are you saying all end host IPSec management traffic
>should be in cleartext?

NO. what we said was that IKE SAs are treated specially by the 
host/SG that terminates or originates IKE traffic, and thus need not 
be subject to SPD/SAD controls.

>Using the example below, assuming IPSec tunnel
>between H1 and SG2 is ready and H1 sending IKE messages to H2, should
>these IKE messages be in cleartext or protected  by H1/SG2 tunnel SA? On
>the 2nd note below are you saying when IKE traffic (H1/H2) going through
>SG2 it will require a SPD?

The IKE traffic from H1 is treated like any other subscriber traffic 
from H1, and thus requires an appropriate SPD entry to be allowed to 
pass. However, at H1, the IKE traffic it emits and receives need not 
be authorized by an entry in its SPD.

>
>         ======================================================
>         |                                                    |
>         |==============================                      |
>         ||                            |                      |
>         ||                         ---|----------------------|---
>         ||                         |  |                      |  |
>         H1* ----- (Internet) ------| SG2* ---- (Local ----- H2* |
>               ^                    |           Intranet)        |
>               |                    ------------------------------
>         could be dialup              admin. boundary (optional)
>         to PPP/ARA server
>
>
>>  Note: If one chose to allow IPsec management traffic to bypass SPD
>>  lookup, then how would one implement a policy of "don't accept IKE
>  > traffic from src A"?


Steve

Follow-Ups:
- RE: 2401bis Issue #67 -- IPsec management traffic
  - From: "Wenxiao He" <wenxiao.he@hp.com>
- Re: 2401bis Issue #67 -- IPsec management traffic
  - From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>

References:
- RE: 2401bis Issue #67 -- IPsec management traffic
  - From: "Wenxiao He" <wenxiao.he@hp.com>

Prev by Date: RE: 2401bis Issue #67 -- IPsec management traffic
Next by Date: Re:2401bis Issue #68 -- VPNs with overlapping IP address ranges
Prev by thread: RE: 2401bis Issue #67 -- IPsec management traffic
Next by thread: RE: 2401bis Issue #67 -- IPsec management traffic
Index(es):
- Date
- Thread