[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: 2401bis Issue #67 -- IPsec management traffic
Francis,
Your example is a good one. In cases like that it is necessary to
place IKE messages inside a tunnel, even when they originate at the
IPsec implementation in question. In those cases that one would need
to make use of the SPD, as shown in your example.
I agree that use of the SPD for dealing with IKE traffic is needed
when we supported nested SAs that terminate at the same IPsec
implementation, something that several folks at least want to retain
as an option, if not a requirement. So, we will reword the text to
say that one can deal with locally generated and terminated IKE and
similar management traffic either via SPD entries or via other,
locally defined, means.
There is one slight catch, however. There is no SPD entry action to
cause delivery of a received message to IKE. So, while your example
is appropriate for outbound IKE traffic, I don't think we ever
defined a way to express appropriate internal forwarding of inbound
IKE traffic. Any suggestions?
Steve