On Feb 22, 2010, at 5:48 PM, Stephen Kent wrote: > At 7:22 PM +0530 2/22/10, Syed Ajim Hussain wrote: >> Hi Steve >> According to me IPSEC/IKE should have intelligence by by-pass ND Traffic >> >> when SA is not ready state without end-user intervention, and same >> should be accepted by other end. >> >> If some vendor/Product may ask user to add specific rules in SDP to by- >> pass ND traffic, it is unto, his own choice. > > I see a fundamental misunderstanding here. Vendors don't configure > SPDs, users do. A vendor may offer a simple UI to enable this sort of > config, but that's not the same as the vendor making this decision > for all of the users of its products.
<vendor_hat_on> There are some SPD entries that you need just to make the system work (such as allowing IKE to bypass, or allowing HTTP to the server that's holding the Hash&URL certificates, or HTTP access to wherever the CDP is. In an environment where IPsec is between hosts on the same subnet, you also need the IPv6 control stuff to be able to bypass. Users don't think in terms of SPDs. Their policies are written in English, like "encrypt mail and web between our sites, and allow http+https to other places, but block filesharing". The simple UI helps to translate the English policy into SPDs that the products understands. IKE, CRLs and IPv6 control are not part of the policy, and a simple UI will usually add these SPD entries automatically. Some will allow you to turn off these automatic rules (our product has a checkbox that says "Accept control connections") but users are not expected to do that. So there is a difference between the stated policy that the user configures, and the SPD that finally gets pushed to the IPsec stack. </vendor_hat_on> _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec