Yoav,
I did not mean to suggest that the SPD UI has to be a low level
interface that makes it difficult for users to achieve their secruity
goals. On the other hand, I would be surprised if any vendor's UI
really accepted English (or another human communication language).
So, despite the fact that policies are written in a human
communication language, those policies need to be entered into a UI
via a language that is more rigorous. I don't think we're saying
anything different; we both agreed that a UI can provide simple ways
for users to enable the needed bypass entries.
RFC 4301, in Figure 1 and Figure 3 shows where IKE lives relative to
the IPsec boundary, and that implies the need for the sort of SPD
entries you cited in your message
I do think that Syed was saying something different, i.e., that the
IPsec architecture document should explicitly say what SPD entries
must be created to enable bypass of this sort of traffic. That would
be a bad idea, as it would require revisions to the architecture
every time some new example of such bypassed traffic arises.
Steve
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
