Re: 2401bis Issue #67 -- IPsec management traffic

[Francis Dupont <Francis.Dupont@enst-bretagne.fr>]

 In your previous mail you wrote:

   >  In your previous mail you wrote:
   >
   >    There is one slight catch, however. There is no SPD entry action to
   >    cause delivery of a received message to IKE. So, while your example
   >    is appropriate for outbound IKE traffic, I don't think we ever
   >    defined a way to express appropriate internal forwarding of inbound
   >    IKE traffic.  Any suggestions?
   >   
   >=> I agree but I don't believe there is a solution inside IPsec itself:
   >to enforce the delivery of packets maching a filter to a process/user/...
   >is a "personal firewall" function only.
   
   	[Throwing in a few pennies until Steve returns...]
   
   	Are you speaking of hosts here?

=> the "internal forwarding" is a host function, i.e., this applies
to SGs considered as hosts.

        While it might work there, a "personal firewall" seems odd
        applied to SGs.

=> "personal firewalls" are the only common security tools which can
bind a traffic to an application.

        A general
   	solution would be to add another action in the SPD, e.g.,
   	"direct to security management".
   
=> this makes no sense because you can't really define what is the
"security management". IMHO the issue is clearly outside the IPsec scope,
i.e., we can make security recommendations but we can't specify a
solution.

Regards

Francis.Dupont@enst-bretagne.fr

PS: as an implementor: the easy solution is to put a part of IKE inside
the kernel, as it should be already done for the UDP port 4500.