Pekka,I think you seriously misread 4301, perhaps because, as you note, you have never read any IPsec RFCs previously.
You are right that "IPsec spec is not optimized for control plane protection." The discussion of the IPsec boundary and the other features you criticized is far from "crazy talk;" they are directly applicable to the BGP security context. Specifically, one would want to define the boundary around a router's management processing, because the goal is to control which traffic flows across this boundary, and to ensure protection for BGP sessions.
All of the examples you cited in your criticism "IPsec spec tries to address too many problems? are related. IPsec applies crypto-security to traffic on a selected basis, and that, in turn, requires an access control function directed by the SPD. Otherwise, one cannot reliably apply the crypto-security, cannot know what traffic is to be bypassed, etc. Also, IPsec is designed as THE IP layer security facility, so it needs to accommodate end system and intermediate system application contexts, which mandates the inclusion of features that you seem to think are excess baggage.
Your assumption "that an IPsec implementation at a router would have to inspect ALL packets it forwards ..." is wrong, IF the goal is to protect BGP traffic originating and terminating at the router. Section 3.3 in RFC 4301 says "A security gateway might employ separate IPsec implementations to protect its management traffic and subscriber traffic." By defining the security boundary to encompass the management process in a router, but not the traffic forwarding function, there is no need to inspect ALL packets ... There is no need to consult routing table entries to decide what traffic is subjected to IPsec protection when the goal is BGP session security between a pair of border routers. if one also wants to protect subscriber traffic, then a separate security boundary is defined for that function and a separate implementation of IPsec might be employed for that high volume use.
I think Tero's response was way too polite given your broad, largely inaccurate criticisms of a document that you appear to have not read very closely.
Steve
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.