next up previous
Next: 5.3 klips2 eroute Up: 5 Proposed data architecture Previous: 5.1 klips2 mast

5.2 klips2 radij

The radij tree provides a lookup on eroute entities.

While the eroute database provides the IPsec security policy database (SPD), the radij tree is the index into it by selectors.

It is a BSD radix.c derived table. It has been modified to permit masking of bits of the index to occur in arbitrary places, thus permitting both source and destination addresses to be masked.

The radij tree will be replaced or augmented to support additional selectors. These include UDP/TCP port numbers, SPI numbers (for multiple layers of gateways), ICMP types and codes, and possibly also IPSO labels.

As opportunistic encryption creates large numbers of fully specified source/destination pairs, it will be investigated if an auxiliary table could provide a more efficient storage of these tables. Specifically, it is possible that connection tracking can more efficiently provide this required index.



Michael Richardson
2001-11-27