[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Q] SA lookup on receive
Stephen,
I agree that the SA MUST be a tunnel mode if the SA was between
the IPSec host/gateway and the IPSec gateway. However. I am
considering the case where the SA is between 2 IPSec hosts and
one of the routers in between is an IPSec gateway. The host _does
not_ have an SA with the IPSec gateway.
In this case, the IPSec gateway receives an IPSec packet ... but
the destination address in the "outer" header (or the header in
the clear) is NOT one of the local addresses of the gateway.
A strict reading of the security architecture document would
cause this packet to be dropped. Thus the request for the
clarification. As I see it the input processing for the IPSec
gateway probably should be:
If (not an IPSec packet)
{
look up in SPD and process accordingly
}
else
{
if (the destination is not local)
look up in SPD and process accordingly
else
look up in SAD and process according to
ID
}
Thanks,
Abbie.
Stephen Kent wrote:
>
> Abraham,
>
> >When an ipsec packet is received, an SA is looked up using the
> >tuple <dest-ip,spi,protocol>. Must the dest-ip be a local ip
> >address of the security gateway? What if the dest-ip address is
> >the address of an internal host?
>
> Any SA involving a security gateway MUST be a tunnel mode SA, so the outer
> IP address will be that of the gateway, not of the internal (ultimate
> destination) host. The latter address will be in the inner IP header.
>
> Steve
begin: vcard
fn: Abraham Matthews
n: Matthews;Abraham
org: CoSine Communications
adr: Suite 200;;1070 Sixth Avenue;Belmont;CA;94002;USA
email;internet: amatthews@cosinecom.com
title: Software Architect
tel;work: 650-637-4725
tel;fax: 650-637-4778
x-mozilla-cpt: ;0
x-mozilla-html: TRUE
version: 2.1
end: vcard
Follow-Ups:
References: