At 7:22 PM +0530 2/22/10, Syed Ajim Hussain wrote:
Hi Steve
According to me IPSEC/IKE should have intelligence by by-pass ND Traffic
when SA is not ready state without end-user intervention, and same
should be accepted by other end.
If some vendor/Product may ask user to add specific rules in SDP to by-
pass ND traffic, it is unto, his own choice.
I see a fundamental misunderstanding here. Vendors don't configure
SPDs, users do. A vendor may offer a simple UI to enable this sort of
config, but that's not the same as the vendor making this decision
for all of the users of its products.
According to me their should one Guidelines in RFC, Control packet like
ND, can go without IPSEC Encapsulation, even if SDP Matches.
This last statement seems to say that you want IPsec implementations
to treat these packets specially, and always bypass them,
irrespective of SPD configurations. I don't we we do this for any
other type of traffic.
Steve
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
