[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Question about draft-ietf-ipsec-arch-sec-03.txt
Hello IPsec Folks,
I have a question concerning draft-ietf-ipsec-arch-sec-03.txt.
Here is the text about processing of inbound packets :
====
5.2 Processing Inbound IP Traffic
[...]
5.2.1 Selecting and Using an SA or SA Bundle
[...]
3. Find an incoming policy in the SPD that matches the packet.
This could be done, for example, by use of backpointers from
the SAs to the SPD or by matching the packet's selectors
(Inner Header if tunneled) against those of the policy
entries in the SPD.
4. Check whether the required IPsec processing has been applied,
i.e., verify that the SA's found in (1) and (2) match the
kind and order of SAs required by the policy found in (3).
-> NOTE: The correct "matching" policy will not necessarily be
-> the first inbound policy found. If the check in (4) fails,
-> steps (3) and (4) are repeated until all policy entries have
-> been checked or until the check succeeds.
====
I wonder why INBOUND SPD entries are not ordered, as opposed to
outbound's. IMHO, ordering policies is much more practical :
e.g. I wish to declare the following policies :
1/ for hosts from net 137.37 policy is P1
2/ for hosts from subnet 137.37.2 policy is P2 (stronger than P1)
3/ for host 137.37.2.105 policy is P3 (stronger than P2)
4/ for host 137.37.4.203 policy is P4 (stronger than P1)
I think it's a classical case. To obtain what I want, if SPD is ordered, I
declare 4/ then 3/ 2/ and 1/. Without ordering policies, it is impossible
to declare easily such policies. Since addresses declaration types are a
single addr, a range or a wildcard address, I can't declare "host from net
137.37 except subnet 137.37.2", hence I'm compelled to make roughly such a
declaration :
hosts in range 137.37.0.0 - 137.37.1.255 policy P1
hosts in range 137.37.3.0 - 137.37.4.202 policy P1
hosts in range 137.37.4.203 - 137.37.255.255 policy P1
hosts in range 137.37.2.0 - 137.37.2.104 policy P2
hosts in range 137.37.2.106 - 137.37.2.255 policy P2
host 137.37.2.105 policy P3
host 137.37.4.203 policy P4
If a new (differently secured) host is added on this net, the declaration
changes radically. For outbound policies, there is no problem since
policies are ordered.
Why are inbound policies unordered ? I'm sure there is a good reason, but
I can't find which one. Could somebody help me ?
Chris.
Follow-Ups: