[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 2401bis Issue #67 -- IPsec management traffic

To: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
Subject: Re: 2401bis Issue #67 -- IPsec management traffic
From: Karen Seo <kseo@bbn.com>
Date: Fri, 3 Oct 2003 01:19:15 -0400
Cc: "'ipsec mailingList'" <ipsec@lists.tislabs.com>
In-Reply-To: <200309281414.h8SEE2HN059728@givry.rennes.enst-bretagne.fr>
References: <200309281414.h8SEE2HN059728@givry.rennes.enst-bretagne.fr>
Sender: owner-ipsec@lists.tislabs.com

Hi Francis,

>  In your previous mail you wrote:
>
>    There is one slight catch, however. There is no SPD entry action to
>    cause delivery of a received message to IKE. So, while your example
>    is appropriate for outbound IKE traffic, I don't think we ever
>    defined a way to express appropriate internal forwarding of inbound
>    IKE traffic.  Any suggestions?
>   
>=> I agree but I don't believe there is a solution inside IPsec itself:
>to enforce the delivery of packets maching a filter to a process/user/...
>is a "personal firewall" function only.

	[Throwing in a few pennies until Steve returns...]

	Are you speaking of hosts here?  While it might work there,
	a "personal firewall" seems odd applied to SGs.  A general
	solution would be to add another action in the SPD, e.g.,
	"direct to security management".

Karen

Follow-Ups:
- Re: 2401bis Issue #67 -- IPsec management traffic
  - From: Markku Savela <msa@burp.tkv.asdf.org>
- Re: 2401bis Issue #67 -- IPsec management traffic
  - From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>

Prev by Date: ECN tweak to Final editing instructions for ikev2 document
Next by Date: Re: 2401bis Issue #67 -- IPsec management traffic
Prev by thread: ECN tweak to Final editing instructions for ikev2 document
Next by thread: Re: 2401bis Issue #67 -- IPsec management traffic
Index(es):
- Date
- Thread