HP 635n Practical IPsec Deployment for Printing and Imaging Devices - Page 48

Figure 41 - Traffic Types The most problematic of all traffic for IPsec to handle is broadcast/multicast traffic. The premise around broadcast and multicast traffic is to send only one packet to multiple hosts without having to send each host a separate packet. IPsec cannot protect this traffic because there is not an easy way to do IKE negotiations with multiple hosts at the same time and have everyone agree on the same key. Therefore, when a broadcast/multicast packet is received and the IPsec policy states that the packet must be provided IPsec protection, HP Jetdirect will DROP the packet since it cannot meet the requirements of the IPsec policy. Because of the ubiquitous nature of broadcast/multicast traffic, HP Jetdirect has made some exceptions to important protocols to allow for proper operation when broadcast/multicast traffic is received. The traffic chosen is shown in Figure 42 - Advanced Options. Figure 42 - Advanced Options On this screen, protocols can be selected to bypass the IPsec policy for broadcast/multicast traffic or by unselecting them, not to bypass the IPsec policy. The default selections allow for proper operation of the network without too much exposure to security threats. This behavior is important to understand. If an administrator selects an IPsec policy where all IP addresses and all IP services are required to use IPsec, the HP Jetdirect device will still get DHCP configured. This behavior can be controlled through the screen in Figure 42, but is the default behavior. Where the advanced option screen suffers is for broadcast/multicast request packets that require a unicast response - protocols like SLP. Here, the request is allowed to bypass the IPsec policy, but the response is unicast and must follow the IPsec policy and could result in the packet using IPsec. If the requestor does not have a matching IPsec policy, the response is never received. Refer to Figure 43 for an SLP discovery example. 48