RE: 2401bis Issue #67 -- IPsec management traffic

[Stephen Kent <kent@bbn.com>]

At 16:50 -0700 9/17/03, Wenxiao He wrote:
>  >
>>  NO. what we said was that IKE SAs are treated specially by the
>>  host/SG that terminates or originates IKE traffic, and thus need not
>>  be subject to SPD/SAD controls.
>>
>>  The IKE traffic from H1 is treated like any other subscriber traffic
>>  from H1, and thus requires an appropriate SPD entry to be allowed to
>>  pass. However, at H1, the IKE traffic it emits and receives need not
>>  be authorized by an entry in its SPD.
>
>I am still confused. Let me ask some questions first:
>* What is IPSec management traffic? Does it include IKE traffic
>(UDP/500)?

yes, it includes IKE traffic, but the text refers to IPsec management 
traffic originated or terminated by the device in question, not ALL 
IPsec management traffic.

>* What traffic is not subject to SPD/SAD control?

that's the subject of this change, see above!

>* When a traffic is not subject to SPD/SAD control, it sounds it is
>cleartext to me. Without consulting SPD/SAD, how can the traffic get
>sent with SA protection(which SA to use)?

IKE provides its own protection for its traffic, but it does not use 
ESP.  that is an example of protected traffic that would not be 
processed via the SPD, e.g., since the SPD entries are defined to 
apply ESP and/or AH, but not the crypto protection employed by IKE.

Steve