[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Issue #67 IPsec management traffic

To: ipsec@lists.tislabs.com
Subject: Issue #67 IPsec management traffic
From: Tero Kivinen <kivinen@ssh.fi>
Date: Sun, 12 Oct 2003 16:49:20 +0300
CC: "Angelos D. Keromytis" <angelos@cs.columbia.edu>, Barbara Fraser <byfraser@cisco.com>, "Theodore Ts'o" <tytso@mit.edu>, Karen Seo <kseo@bbn.com>, Stephen Kent <kent@bbn.com>
Organization: SSH Communications Security Oy
Sender: owner-ipsec@lists.tislabs.com

I agree that this is implementation issue and I do not think this kind
of things should be described too much in the RFC2401bis. The
management traffic must be able to reach the machine, thus there must
be somewhere be rule that allows that to pass. Whether that rule is in
the fixed code (built-in SPD?) or in the actual SPD is completely
implementation issue.

Also note, that the definition of management traffic changes from time
to time, depending on the configuration. In some cases where
certificates are used the IKE might need to use LDAP or http to fetch
certificates or CRLs, also it might need to do OCSP etc at the same
time. Before the IKE might start it might need to do DHCP, DNS, SNMP,
IPv6 Neighbor discover etc.

As the list of management traffic is not fixed, and can change when
adminstrator changes configuration that would suggest that this kind
of configuration should be done through the adminstrator configurable
SPD, and perhaps some document should simply list some of the
protocols which might be needed for different configuration. 
-- 
kivinen@ssh.fi
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/

Prev by Date: Issue #46 Proposed change: no need for iterated processing
Next by Date: Issue #85 DROP'd inbound packet -- does not match SA
Prev by thread: Issue #46 Proposed change: no need for iterated processing
Next by thread: Issue #85 DROP'd inbound packet -- does not match SA
Index(es):
- Date
- Thread