[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Question about draft-ietf-ipsec-arch-sec-03.txt



Hello IPsec Folks,

I have a question concerning draft-ietf-ipsec-arch-sec-03.txt.
Here is the text about processing of inbound packets :

====
5.2 Processing Inbound IP Traffic
   [...]
5.2.1 Selecting and Using an SA or SA Bundle
   [...]
           3. Find an incoming policy in the SPD that matches the packet.
              This could be done, for example, by use of backpointers from
              the SAs to the SPD or by matching the packet's selectors
              (Inner Header if tunneled) against those of the policy
              entries in the SPD.

           4. Check whether the required IPsec processing has been applied,
              i.e., verify that the SA's found in (1) and (2) match the
              kind and order of SAs required by the policy found in (3).

          ->  NOTE: The correct "matching" policy will not necessarily be
          ->  the first inbound policy found.  If the check in (4) fails,
          ->  steps (3) and (4) are repeated until all policy entries have
          ->  been checked or until the check succeeds.
====

I wonder why INBOUND SPD entries are not ordered, as opposed to
outbound's. IMHO, ordering policies is much more practical :
e.g. I wish to declare the following policies :

1/ for hosts from net    137.37        policy is P1
2/ for hosts from subnet 137.37.2      policy is P2 (stronger than P1)
3/ for host              137.37.2.105  policy is P3 (stronger than P2)
4/ for host              137.37.4.203  policy is P4 (stronger than P1)

I think it's a classical case. To obtain what I want, if SPD is ordered, I
declare 4/ then 3/ 2/ and 1/. Without ordering policies, it is impossible
to declare easily such policies. Since addresses declaration types are a
single addr, a range or a wildcard address, I can't declare "host from net
137.37 except subnet 137.37.2", hence I'm compelled to make roughly such a
declaration : 

hosts in range 137.37.0.0   - 137.37.1.255   policy P1
hosts in range 137.37.3.0   - 137.37.4.202   policy P1
hosts in range 137.37.4.203 - 137.37.255.255 policy P1
hosts in range 137.37.2.0   - 137.37.2.104   policy P2
hosts in range 137.37.2.106 - 137.37.2.255   policy P2
host  137.37.2.105  policy P3
host  137.37.4.203  policy P4

If a new (differently secured) host is added on this net, the declaration
changes radically. For outbound policies, there is no problem since
policies are ordered.

Why are inbound policies unordered ? I'm sure there is a good reason, but
I can't find which one. Could somebody help me ?

Chris.




Follow-Ups: