[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: 2401bis Issue #67 -- IPsec management traffic
>
> NO. what we said was that IKE SAs are treated specially by the
> host/SG that terminates or originates IKE traffic, and thus need not
> be subject to SPD/SAD controls.
>
> The IKE traffic from H1 is treated like any other subscriber traffic
> from H1, and thus requires an appropriate SPD entry to be allowed to
> pass. However, at H1, the IKE traffic it emits and receives need not
> be authorized by an entry in its SPD.
I am still confused. Let me ask some questions first:
* What is IPSec management traffic? Does it include IKE traffic
(UDP/500)?
* What traffic is not subject to SPD/SAD control?
* When a traffic is not subject to SPD/SAD control, it sounds it is
cleartext to me. Without consulting SPD/SAD, how can the traffic get
sent with SA protection(which SA to use)?
>
> >
> > ======================================================
> > | |
> > |============================== |
> > || | |
> > || ---|----------------------|---
> > || | | | |
> > H1* ----- (Internet) ------| SG2* ---- (Local ----- H2* |
> > ^ | Intranet) |
> > | ------------------------------
> > could be dialup admin. boundary (optional)
> > to PPP/ARA server
> >
> >
> >> Note: If one chose to allow IPsec management traffic to bypass SPD
> >> lookup, then how would one implement a policy of "don't accept IKE
> > > traffic from src A"?
>
>
> Steve
>