Re: 2401bis Issue #67 -- IPsec management traffic

[Stephen Kent <kent@bbn.com>]

At 16:32 +0200 9/18/03, Francis Dupont wrote:
> In your previous mail you wrote:
>
>   NO. what we said was that IKE SAs are treated specially by the
>   host/SG that terminates or originates IKE traffic, and thus need not
>   be subject to SPD/SAD controls.
>  
>=> IMHO it is convenient to be able to do both, i.e., the standard way
>is that the IKE daemon asks itself for the "bypass" for UDP/500 but
>the administrator can choose to enter specific SPD entries for UDP/500.
>(for instance in order to solve the issue of IKE messages going throught
>the local node)
>BTW the RFC 2401 text is fine: it suggests this usage of the "bypass" but
>mandates nothing more than common sense.
>
>Thanks
>
>Francis.Dupont@enst-bretagne.fr

Francis,

I looked at 2401 and the text I found in Section 4.4.1, is what I assume folks had in mind when they thought that IKE traffic needed to have SPD entries:

"The SPD is used to control the flow of ALL traffic through an IPsec
system, including security and key management traffic (e.g., ISAKMP)
from/to entities behind a security gateway.  This means that ISAKMP
traffic must be explicitly accounted for in the SPD, else it will be
discarded.  Note that a security gateway could prohibit traversal of
encrypted packets in various ways, e.g., having a DISCARD entry in
the SPD for ESP packets or providing proxy key exchange.  In the
latter case, the traffic would be internally routed to the key
management module in the security gateway."

What I think I had in mind here was that IKE (or other security management) traffic passing  the through device needs to be accounted for in the SPD. But, IKE traffic created in the device does not pass through it, in my mind, and thus was exempt from this requirement.

Is there some place in 2401 that refers to bypass of UDP/500 traffic for IKE?

Steve