[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: clarification
Rohit,
Next Hdr Next Hdr Derived Port Selector Field
in Packet in SPD Value in SPD and SAD
--------------- -------------- ----------------------------
1) ESP ESP or ANY ANY (i.e., don't look at it)
2) -don't care- ANY ANY (i.e., don't look at it)
3) specific value, specific value NOT ANY (i.e., drop packet)
fragment
4) specific value, specific value actual port selector field
not fragment
What the table is trying to convey is that there are interactions
between the selectors used to match SPD or SAD entries themselves and
also with fields in a packet that are not classified as selectors,
i.e., the fragmentation fields. It tries to be "implementation
neutral" by specifying certain port selector values that result in the
desired behavior.
In cases 1), if the protocol field in the packet identifies an ESP
header, and the protocol selector specifies either ESP or a wildcard,
i.e., the protocol matches, then one cannot use the port selector for
anything as one cannot find port values in the packet to be matched
against the selector values in the SPD or SAD. The easy way to
specify that "there are no useful port value(s) in the packet" is to
specify the source and destination port selectors as a wildcard -- ANY.
Otherwise in case 2), if the one allows any protocol, then it does
not make any sense to try and specify some explicit port number, so
again, one should ignore the port selectors by specifying ANY port.
Otherwise in case 3), if the IP packet is a fragment and the SPD
requires an explicit protocol, then one cannot say that the packet is
for that protocol, and the packet must be dropped. Note that in the
case of the first fragment, one might be able to identify the
protocol. However, since the rest of the fragments will be dropped,
there is no point in letting the first one pass through. In addition
the first fragment typically has the most useful information in it, if
it is to be audited, so rejecting it immediately may produce more
meaningful diagnostics.
Otherwise in case 4), if the IP packet is not a fragment and is for an
explicit protocol, proceed to match the port fields in the packet with
the port selectors specified in the SPD. (If that protocol does not
use ports, I would expect the policy administrator to have specified
ANY for the port selectors.)
Does the above answer your questions?
Charlie