[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Inbound processing Q
I have a Q related to the description of inbound processing in
the IPSEC architecture:
When a responder processes an IKE/ESP phase-2 from a remote
peer, the SPD can be search for a policy
that matches the peer's IP address and supports one of the
cypher-suits being proposed. No other selcotor can
be used to select the best SPD entry at this point.
Once the inbound ESP-SA is in place and data starts arriving,
the packets are de-tunneled (say) and decrypted. At
that moment, if we are down to a packet that needs forwarding,
the selectors fields from the packet and the cypher-suit are
matched against the inbound SPD entries, and if no match is found, the
correct action appears to be to discard the packet!
It seems that Inbound-specific SPD entries may need to include
more 'any' and 'wildcard' selector values than the outbound SPD
entries.
This suggests that phase-2 should allow negotiation of selector
fields so the the responder can then find a policy that
fuller covers the remote peer's selector ranges/explict
values/wildcards.
Steve.