Re: 2401bis Issue #67 -- IPsec management traffic

[Stephen Kent <kent@bbn.com>]

Francis,

Your example is a good one. In cases like that it is necessary to 
place IKE messages inside a tunnel, even when they originate at the 
IPsec implementation in question. In those cases that one would need 
to make use of the SPD, as shown in your example.

I agree that use of the SPD for dealing with IKE traffic is needed 
when we supported nested SAs that terminate at the same IPsec 
implementation, something that several folks at least want to retain 
as an option, if not a requirement. So, we will reword the text to 
say that one can deal with locally generated and terminated IKE and 
similar management traffic either via SPD entries or via other, 
locally defined, means.

There is one slight catch, however. There is no SPD entry action to 
cause delivery of a received message to IKE. So, while your example 
is appropriate for outbound IKE traffic, I don't think we ever 
defined a way to express appropriate internal forwarding of inbound 
IKE traffic.  Any suggestions?

Steve